comparemela.com
  1. Home
  2. Live Updates
  3. Transcripts For ALJAZAM Inside Story 20140415 : comparemela.com

Transcripts For ALJAZAM Inside Story 20140415

Card image cap

May have burrowed into the world of online commerce intruding on the back and forth conversations between your computer and your email servers, between you and the places you buy things online. Its not completely clear what happened as a result, but are you lively confident about logging on to a sale site to see your packages as you were a couple of weeks ago, and the web is full of conflicting information over the past few days. Change your password . No, not until the site has fixed its security settings. Change your pas password . Yes, any website worth its salt has already fixed this thing. What are you to do . I dont know, how are we going to find out . First, how we got here. Heart bleed is a potentially critical flaw in widely used Encryption Software that is supposed to protect online users personal information. The heart bleed bug has consisted forexisted for two years but only learned about by consumers and tech giants alike. It means that your personal information can be compromised and there is nothing that can be done about it until website upgrade their software. What is at risk . 500,000, twothirds of the sites that use ssl the Encryption Software. This ssl layer. In basic terms computers using open ssl check to see if there is a website server at the other end of a secure connection. The server and the Computer Exchange data to verify they are still connected. Its called heart beats. Thats where the bug comes in. A wouldbe hacker or criminal can trick the server into providing much more data revealing user names, passwords, credit card or other account information. All the while consumers getting varying advice of how to act when online. One suggestion is to go to an Internet Security site like mcafee, and type in the website you want to visit to see if they have fixed the heart bleed bug. It proves that hackers can steal Encryption Keys using the bug and plan attacks. Google has updated its customers on its blog announcing patches to its progress. Google confirmed some android phones with software from 2012 are vulnerable. That could compromise up to 4 million phones in the United States and 50 Million Worldwide according to a an analytics fir. There will be major disruptions as Companies Scramble to repair Encryption Software. Definitely make sure that youre keeping up with their website on their blog, to see whether they were infected at all. The heartbeat bug is right in the middle of the ongoing debate of security practices. Reports that nsa knew about the bug and websites vulnerability right from the beginning. The office of the director of National Intelligence issued a forceful denial saying no one in government knew about the heart bleed prior to this april. Joining us to help us understand how this latest to pick your pocket, were joined by a staff technologist, she writes code with the focus on encryption and privacy for internet users. She joins us from san francisco. And with us from boston, robert, who works with products that protect online communications. And from new york, Christina Warren senior tech analysts should we take comfort in the fact that this slumbered away as a flaw in this widely used program for years until people realized that it was there . Well, we dont know whether anyone knew about this bug before it was publicly announced. There is no way to know that some hackers havent found it. The open ssl software, its code is open, anyone can read it and look for this bug. Its not hard to find it. Its hard to tell if anybody knew about it. I dont write code, if youre surveying an open source program, and looking for flaws in it, is it a needle in a haystack . Or is it something that when youre looking for a flaw its easy to find . Well, with open ssl, the code, there is a lot of it, and its kind of messy. You know, many people dont have the patience to just look through it. But if youi would say if youre reasonbly skilled you could have found in bug. Robert, how was this problem detected in the first place . So researchers were able to detect it by looking at it. They found it. It was an eureka moment, and then they quickly disclosed it, and here we are in the midst of what would be one of the largest security crisis with the internet thus far. Disclosed it, but disclosed it to the users and potential criminals at the same time. Well, thats kind of how these things go. When you make the public aware of it, of course, youre going to make the bad guys aware of it, too. But with most flaws, most vulnerabilities if the researchers had had an opportunity to contact an individual company, then they will, depending on the nature of the hacker whether theyre black hat, gray hat, white hat, they may disclose it publicly. They may go right to the company. In this case they didnt have a choice. They had to go public because of how many were affected by it. Christina warren, the very idea that the method a computer would use to talk to a server is a place where an opportunistic infection might be happening, thats stunning that no one realized that this was a flaw in the first place when this was put into widespread operation as a security device. Well, absolutely. But to his point the code is sort of messy. And even if the project is used very widely, it actually has only a few committers. If there arent that many people actively contributing to the project. I would compare t if youre looking at it closely you would find the story, you could find a flaw. But youve got a ton of code there. It makes it that it could go unseen. Thats a testament in part to how good open ssl had been in the past, and how reliant people have become on it. But at the same time it does say were going to be using these tools, and if its important we should be doing a better job of auditing the code, and making sure that things are the way they need to be. So the alarm goes out. The flare gets shot up into the sky. Why does every individual site have to take care of this on their own . Why isnt there a software that can then be distributed to all users in much the same way this credits distributed in the first place . Christina . Yes, thats kind of the problem. I think for regular users thats what makes it such a difficult bug to deal with because we dont have a lot of control over it. The bottom line is that every server has to update itself on its end to be safe. Every application, every web server, every device talking about a smart phone, router, has to be updated. Unfortunately there is just not a way to push those updates out because they are being maintained by various companies. Because various Companies Maintain them when the disclosure happens some companies were given advance warning and were able to patch things. Some were able to do what they could to patch things before the vulnerability became public. But when you talk about a code that is used on 66 of the web, unfortunately, we dont have the mechanism to push and update. It would be great if we did, but we dont. What does this piano to me . Are there different systems in place for different kinds of vendors . Are banks using the same kind of secure Software Protections as a potter, who runs a business oh outs of their own home, and runs ceramics out of the mail. Is this all the same bees or using different kinds of items in this case. From google to a tiny website they run open ssl. Because the spot connected in opening up a cell, a few temperatures might claim to have protection on top of that, but that would be foolish in this case. I think what people. Have updated their software. And there is an encryption layer. So when the site loses its encryption key its still vulnerable. Someone who has that encryption key to direct task or even impersonate that website. What can people do with bad inpent do in that little business of time. So were go to whoever sites they determine are not properly directed. Theyll begin to sniff in and they will agent extract the dat. In canada they were able to get a thousand social numbers from canadian taxpayers then they use that data to commit fraud. Theyll open new lines of credit. Theyll take over existing accounts with the new names and passwords. The new name behind the s is security. Encryption is essentially to protect that information. When the doors are not locked it allows the bad guy to get in. In this case it gives more n. More than likely it has occurred multiple times, and those infected may not find out for days, week, months, years. And its possible that they have been affected in the past, and theyll only realize it in the future. Now you know what the vulnerability looks like. Well take a break and well look at what consumers have to do. This is inside story. Now inroducing, the new al jazeea america mobile news app. Get our exclusive in depth, reporting when you want it. A global perspective wherever you are. The major headlines in context. Mashable says. Youll never miss the latest news they will continue looking for suvivors. The potential for Energy Production is huge. No noise, no clutter, just real reporting. The new Al Jazeera America mobile app, available for your apple and android mobile device. Download it now real reporting that brings you the world. Giving you a real global perspective like no other can. Real reporting from around the world. This is what we do. Al jazeera america. Welcome back to inside story. Im ray suarez. On this edition of our program were talking about the heart bleed bug. Its been out there for two years, and raises the on ability that a hacker could get your information on a website that you and your company thought it was secure. Christina, when news first came out that this was out there, my wife who does all the banking and pays all the bills. She said forget it. Thats it. Im going to let it go for a while until the dust settles. She also pays her mothers bills, and some of those bills had to be paid right away, and it felt like a risky thing to enter personal information into the computer. What is your best advice today. How should they pro seed i pro f theyve been conducts business online. You need to know if the site youre using has updated its software and security. Weve been making a list of the banks, financial institutions, social networks, and there are utilities to see if there has been a patch and they have been updated. That means not necessarily going to the place itself, but going to some other source of the information . Or should i go to the place itself, and they say, hey, we fixed it, dont worry. Some sites will. Some have been fourt forthcomine havent. The next set, if you used a password on a site that has been impacted on the heart bleed bug, regardless whether its been update order not you need to change that password on every service that uses that password. You need to change the password on the services especially if its a password that you of used multiple times. It needs to be unique to each service. There is not much more we can do. Change your password. Check with the places that you use the most. If its a bank, if there is another way to make a payment. Maybe go in in person or do it by phone. Changing your password, and especially changing any passwords that youve used multiple times is really the best course of action that regular users can take rights now. Robert, why do you have to change them all . And why do you have to go to places that you dont use as often or go to places where you havent signed on for a long time, and change the passwords even there . So the idea behind changing a password has been around for quite some time. Aside from this particular issue. You should change your passwords periodically. At least semi annually if not annually. Most corporations that have Sensitive Data requires their employees to change them quarterly. Thats a Good Practice to get into. Upper case, lower case, numbers, so forth. By changing your passwords you make it more difficult for a criminal to access your accounts as long as they are considered what iastrong pass ward. You should be changing your passwords quarterly, semi annually. For those websites that you dont really visit and there isnt much data on them. An email is a critical account. For a bad guy to own the email, the bad guy owns the person. Change that, social, the reason why these accounts are doctored critical, they are access to information, access to contacts. Having different passwords like it was already said its essential as well. Having the same password across accounts makes it very easy for hackers to get into additional accounts. Now take us into the mind of the people who are trying to break through these systems, and corruption them, and do arounds on these new passwords. The university of michigan put out data purposely as a kind of honey pot operation, an found that they were attacked several times just since the word came out that heart bleed was out there. What is the state of the art for people . Heart bleed is different from a lot of security vulnerabilit vulnerabilities. So when it came out it was an hour where people were very curious and they would try it out on various sites. This found very quickly by using one of these scripts once you could sometimes get passwords and log into peoples accounts. Once you do that, what do you do with that information . You got a cookie. You got information from a security certificate. You got a password. What does that allow you to do . If they are keys, what doors do they open . There are two different questions in there. One is if you get a security certificate, if that happens you basically have the keys to the kingdom. You can precontinued to be a website. You can basically say im google. Com or im yahoo or bank of america, give me all your data. But that actually hasntwe havent seen evidence of people who have done that successfully. We have seen people get passwords and such. If youre a spammer and you get pass ward to a twitter account, you could say follow this family. Or if you log into someones email you could email their contacts with smal spam. You could change their passwords on other website. Were going to take a short break. When we come back well talk about what stories like this and this is only the latest one in a long series, does to the future of internet commerce. This is inside story. Well its official. Xfinity watchathon week was the biggest week in television history. But just when you thought it was over. What now . With xfinity on demand you can always watch the latest episodes of tvs hottest shows. Good news. Like hannibal. Chicago fire. And bates motel. The day after they air. Xfinity on demand. All the latest episodes. All included with your service. Its like hifiving your eyeballs. Xfinity. The future of awesome. The heart bleed bug left to website vulnerable to attack. It effects the ssl that effect the security of the transaction. Were talking about the scathing impacts of the heartbeat bug and what it will Cost Companies to fix it. When we talk about the cost of everyone fixing this, is there a good rough guess on what it is going to cost to fix . No, i really dont know. I think its too soon to tell. The longterm costs will end up being what are much larger. For Smaller Companies that maybe dont patch the software as quickly and those vulnerabilities lead to major breaches, thats where well see the costs. The government such as canada having to shut down its tax process, and having to do emergency updates, this all costs monday. There is definitely a very real cost right now, but i think it will be some time before we know how much its going to cost. Rewe talking about the millions with an m or billions with a b . Right now were talking about millions, but it could be billions depending on what happens in the future. I think its very likely that Smaller Companies that dont patch things internally, some of that soft wear will be breached, and it could be billion dollar breaches. Right now i think its definitely in the millions range. This is only the latest of a long line of stories where information is stolen, sensiti sensitive, valuable Important Information is stolen. Does this have the possible consequences of hurting the advancement of online custome . I think it will help the government and the Security Community a heads up that we need to take things a bit more seriously. Certainly open source has been a great way to get things done, but there needs to be more oversight by this administration to make sure that Something Like this doesnt happen again. Certainly there has been a battle ensued between good and evil, good guys and bad guys, white hats and black hats. That is never going to stop. When you have vulnerabilities like this, it definitely makes the entire Internet Community pause, and to reevaluate and say what do we have to do in the future so this does not have to happen again. Were in a world where people are still using the word password as their password, and were depending on them to do something to make the whole system safer . Yes, human nature will choose pass ward if you let them choose any password. If you needs your phone or finger scan to access, consumers are going to stay the way they are, and we have to do the best we can as engineers. People should take this seriously and make changes right away. Thats right, always use security warnings as soon as they come out. Thank you for joining us on this edition. That brings us to the end of inside story. The program may be over but the conversation continues. We want to hear what you think about this or any days show. Log on to our Facebook Page where you have changed your pass ward or twitter. Or reach me directly at ray suarez news. See you for the next inside storinsidestory. In washington, im ray suarez. An ancient city sacred to three different faiths. For jews, the sight of theyre fist holy temple. For christians, the seen of jesus christs death and resurrection. And for muslims the location of the prophet mohammeds ascent to heaven. This could only be one place. Jerusalem. The visitor to jerusalem can not help but t

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.