Millions of online shoppers, bank customers and social media users in the UAE could have been affected by an internet bug that secretly steals passwords and other personal information.
The so called “Heartbleed” bug, uncovered by Google and online security firm Codenomicon, is a flaw in the OpenSSL software used by companies to secure data. The bug captures and decrypts this data without leaving a trace, meaning there is no way of telling if information has been stolen.
Sites that have been confirmed as affected include Deutsche Bank, Yahoo, Flickr, Tumblr and Imgur, but any website using the software could be at risk.
“All UAE banks and e-banking environments use SSL,” said Nicolai Solling, director of technology services at Help AG, an IT security company based in Dubai. “All over the world there is no bank not using SSL in some way,” he said.
Equally as concerning as the huge number of people who could be affected, is the fact the bug has existed for the past two years without being spotted.
An update to the OpenSSL software has since closed the loophole. However, it is up to individual companies to use this update, meaning the security flaw could take a long time to be repaired.
“With each passing day, we are sure to see more cyber criminals exploiting these vulnerabilities,” said Mr Solling. “The responsibility of fixing this issue lies with organisations since this is a server-side vulnerability. Unfortunately, for common users, this means that there is very little they could do to protect themselves.
“The race against the clock has begun as we are already starting to see the first set of attack frameworks emerge.
“In general anyone, regardless of the openSSL bug or not should ensure that they use good passwords. One of the most important aspects is that passwords should be unique and never reused across multiple websites to avoid the effect by losing a username and password.
“I would recommend anyone to be extra alert to any abnormal activities in any ssl and web-based services, such as online banking.”
For some customers, the latest internet bug highlights the problems associated with carrying out financial transactions online.
“No way would I move money online. I only use telephone banking, this is safest,” said Saoud Al Shehhi, a 26-year-old from Abu Dhabi who works at the National Library.
Others were more trusting of the security systems in place.
“I use an online bank and have never had a problem,” said Shardhannand Singh, an Indian who has worked in IT for four years in Abu Dhabi. “I think if you use a safe browser it is OK. But I trust my bank, I am with National Bank of Abu Dhabi, I think they are very safe.”
It is easy to spot sites using OpenSSL for data encryption, as the web address will include https as opposed to http.
“The security implications of this are very real,” said Lucas Zaichkowsky, enterprise defence architect at AccessData, an international cybersecurity company that has offices in Dubai.
“A significant amount of the software we implement today uses the OpenSSL library for encryption, affecting many popular server and desktop software packages and therefore putting business servers, corporate desktops and at-home users at risk.”
While experts have spoken of the wide-reaching risks, search-engine giant Google said: We fixed this bug early and Google users do not need to change passwords.”
But the bug is being taken extremely seriously by some of the biggest online security firms, including the US company, Symantec.
“Symantec is aware and currently investigating the OpenSSL vulnerability, which allows attackers to read the memory of the systems using vulnerable versions of OpenSSL software,” a spokesperson said.
