Knight Center
Knight Center

JOURNALISM IN THE AMERICAS Blog

Digital vulnerability could endanger online media’s private information



Earlier this week, experts discovered a code defect in software used by almost two thirds of the Internet to encrypt private information, which may have endangered personal data from millions of people and access keys to some of the most popular online services, according to website GigaOmThe vulnerability can affect news organizations’ websites as well. 

The security vulnerability was nicknamed “Heartbleed” for affecting a feature in the software library OpenSSL called “heartbeat,” a signal transmitted between servers and users to create and maintain a secure connection over the Internet. The error leads to the signal sending extra data that was recently saved in the RAM memory of either the server or the user’s computer, something a hacker could exploit to obtain user names, passwords, encryption keys and other sensitive information.

Heartbleed can affect news organizations’ websites if they use SSL to create login access for users, VPN to secure their network, or are maintained by open-source web servers (like Apache, Ngnix and Lighttpd), according to the website ProPublica. Any software that came from OpenSSL version 1.0.1 or higher is affected and tools like Heartbleed Test and LastPass can help verify if a website was impacted.

Additionally, privacy software like Tor and SecureDrop were initially vulnerable to Heartbleed but have since release updates solving the issue and popular operating systems like Linux have also released patches that fix the error.

Although this was only discovered this week, the problem already existed in the code for two years and it is unknown whether hackers have used it to obtain private information, according to The New York Times. What we do know is that now that Heartbleed is no longer a secret it is likely attackers will try to exploit it to obtain private data.

For this reason, cyber-security experts suggest users change their password, but only after they receive confirmation from vulnerable sites that the problem has been resolved, according to Forbes magazine. Otherwise a user will increase the likelihood of their access codes becoming publicly accessible.

Experts also ask news organizations to update their software and re-generate SSL certificates with web servers to protect their private keys, ProPublica reported. These keys can be used by attackers to decrypt all private information transmitted between an organization’s website and its server.

Digital media should also alert their users once the defect has been fixed on their websites so they can change their passwords. Newsroom employees should change all their passwords once the problem is solved, especially for work accounts like those in content management systems and social media.

To learn more about how to choose a secure password, protecting your private information and generally strengthening the security of your digital data, read the Committee to Protect Journalists’ (CPJ) information security guide online.



Newsletter

Subscribe to our weekly newsletter "Journalism in the Americas"

Boletim Semanal (Português)
Boletín Semanal (Español)
Weekly Newsletter (English)
 
Marketing by ActiveCampaign

Facebook