his first work appearing in south england in the early 1990s. he did it again. thank you for watching al jazeera america. i'm del walters in new york. "inside story" is next. >> you hello, i'm ray suarez. in the past several days millions of you heard the bad guys, the vandals, the thieves may have burrowed into the world

of online commerce intruding on the back and forth conversations between your computer and your e-mail servers, between you and the places you buy things online. it's not completely clear what happened as a result, but are you lively confident about logging on to a sale site to see your packages as you were a couple of weeks ago, and the web is full of conflicting information over the past few days. change your password? no, not until the site has fixed its security settings. change your pas password? yes, any website worth its salt has already fixed this thing. what are you to do? i don't know, how are we going to find out? first, how we got here. >> heart bleed is a potentially critical flaw in widely used encryption software that is

supposed to protect online users personal information. the heart bleed bug has consisted for --existed for two years but only learned about by consumers and tech giants alike. it means that your personal information can be compromised and there is nothing that can be done about it until website upgrade their software. what is at risk? 500,000, two-thirds of the sites that use s sl the encryption software. >> this ssl layer. >> in basic terms computers using open ssl check to see if there is a website server at the other end of a secure connection. the server and the computer exchange data to verify they are still connected. it's called heart beats. that's where the bug comes in. a would-be hacker or criminal can

trick the server into providing much more data revealing user names, passwords, credit card or other account information. all the while consumers getting varying advice of how to act when online. one suggestion is to go to an internet security site like mcafee, and type in the website you want to visit to see if they have fixed the heart bleed bug. it proves that hackers can steal encryption keys using the bug and plan attacks. google has updated its customers on its blog announcing patches to its progress. google confirmed some android phones with software from 2012 are vulnerable. that could compromise up to 4 million phones in the united

states and 50 million worldwide according to an an analytics firm. there will be major disruptions as companies scramble to repair encryption software. >> definitely make sure that you're keeping up with their website on their blog, to see whether they were infected at all. >> the heartbeat bug is right in the middle of the ongoing debate of security practices. reports that nsa knew about the bug and websites vulnerability right from the beginning. the office of the director of national intelligence issued a forceful denial saying no one in government knew about the heart

bleed prior to this april. >> joining us to help us understand how this latest to pick your pocket, we're joined by a staff technologist, she writes code with the focus on encryption and privacy for internet users. she joins us from san francisco. and with us from boston, robert, who works with products that protect online communications. and from new york, christina warren senior tech analysts should we take comfort in the fact that this slumbered away as a flaw in this widely used program for years until people realized that it was there? >> well, we don't know whether

anyone knew about this bug before it was publicly announced. there is no way to know that some hackers haven't found it. the open ssl software, it's code is open, anyone can read it and look for this bug. it's not hard to find it. it's hard to tell if anybody knew about it. >> i don't write code, if you're surveying an open source program, and looking for flaws in it, is it a needle in a haystack? or is it something that when you're looking for a flaw it's easy to find? >> well, with open ssl, the code, there is a lot of it, and it's kind of messy. you know, many people don't have the patience to just look through it. but if you--i would say if you're reasonbly skilled you could have found in bug. >> robert, how was this problem detected in the first place?

>> so researchers were able to detect it by looking at it. he did it again. they found it. it was an eureka moment, and then they quickly disclosed it, and here we are in the midst of what would be one of the largest security crisis with the internet thus far. >> disclosed it, but disclosed it to the users and potential criminals at the same time. >> well, that's kind of how these things go. when you make the public aware of it, of course, you're going to make the bad guys aware of it, too. but with most flaws, most vulnerabilities if the researchers had had an opportunity to contact an individual company, then they will, depending on the nature of the hacker whether they're black hat, gray hat, white hat, they may disclose it publicly. they may go right to the company. choice.

they had to go public because of how many were affected by it. >> christina warren, the very idea that the method a computer would use to talk to a server is a place where an opportunistic infection might be happening, that's stunning that no one realized that this was a flaw in the first place when this was put into widespread operation as a security device. >> well, absolutely. but to his point the code is sort of messy. and even if the project is used very widely, it actually has only a few committers. if there aren't that many people actively contributing to the project. i would compare t if you're looking at it closely you would find the story, you could find a flaw. but you've got a ton of code there.

it makes it that it could go unseen. that's a testament in part to how good open ssl had been in the past, and how reliant people have become on it. but at the same time it does say we're going to be using these tools, and if it's important we should be doing a better job of auditing the code, and making sure that things are the way they need to be. >> so the alarm goes out. the flare gets shot up into the sky. why does every individual site have to take care of this on their own? why isn't there a software that can then be distributed to all users in much the same way this credits distributed in the first place? christina? >> yes, that's kind of the problem. i think for regular users that's what makes it such a difficult bug to deal with because we don't have a lot of control over it. the bottom line is that every

server has to update itself on its end to be safe. every application, every web server, every device talking about a smart phone, router, has to be updated. unfortunately there is just not a way to push those updates out because they are being maintained by various companies. because various companies maintain them when the disclosure happens some companies were given advance warning and were able to patch things. some were able to do what they could to patch things before the vulnerability became public. but when you talk about a code that is used on 66% of the web, unfortunately, we don't have the mechanism to push and update. it would be great if we did, but we don't. >> what does this piano to me? are there different systems in place for different kinds of vendors?

are banks using the same kind of secure software protections as a potter, who runs a business oh outs of their own home, and runs ceramics out of the mail. is this all the same bees or using different kinds of items in this case. >> from google to a tiny website they run open ssl. because the spot connected in opening up a cell, a few temperatures might claim to have protection on top of that, but that would be foolish in this case. i think what people. have updated their software. and there is an encryption layer.

so when the site loses its encryption key it's still vulnerable. someone who has that encryption key to direct task or even impersonate that website. >> what can people do with bad inpent do in that little business of time. so we're go to whoever sites they determine are not properly directed. they'll begin to sniff in and they will agent extract the data. in canada they were able to get a thousand social numbers from canadian taxpayers then they use

that data to commit fraud. they'll open new lines of credit. they'll take over existing accounts with the new names and passwords. the new name behind the "s" is security. encryption is essentially to protect that information. when the doors are not locked it allows the bad guy to get in. in this case it gives more n. more than likely it has occurred multiple times, and those infected may not find out for days, week, months, years. and it's possible that they have been affected in the past, and they'll only realize it in the future. >> now you know what the vulnerability looks like. we'll take a break and we'll

>> welcome back to "inside story." i'm ray suarez. on this edition of our program we're talking about the heart bleed bug. it's been out there for two years, and raises the on ability that a hacker could get your information on a website that you and your company thought it was secure. christina, when news first came out that this was out there, my wife who does all the banking and pays all the bills. she said forget it. that's it. i'm going to let it go for a while until the dust settles. she also pays her mother's bills, and some of those bills had to be paid right away, and it felt like a risky thing to enter personal information into the computer. what is your best advice today.

how should they pro seed i pro f they've been conducts business online. >> you need to know if the site you're using has updated its software and security . we've been making a list of the banks, financial institutions, social networks, and there are utilities to see if there has been a patch and they have been updated. >> that means not necessarily going to the place itself, but going to some other source of the information? or should i go to the place itself, and they say, hey, we fixed it, don't worry. >> some sites will. some have been fourth forthcoming, some haven't. the next set, if you used a password on a site that has been

impacted on the heart bleed bug, regardless whether it's been update order not you need to change that password on every service that uses that password. you need to change the password on the services especially if it's a password that you of used multiple times. it needs to be unique to each service. there is not much more we can do. change your password. check with the places that you use the most. if it's a bank, if there is another way to make a payment. maybe go in in person or do it by phone. changing your password, and especially changing any passwords that you've used multiple times is really the best course of action that regular users can take rights now. >> robert, why do you have to change them all? and why do you have to go to places that you don't use as often or go to places where you haven't signed on for a long

time, and change the passwords even there? >> so the idea behind changing a password has been around for quite some time. aside from this particular issue. you should change your passwords periodically. at least semi annually if not annually. most corporations that have sensitive data requires their employees to change them quarterly. that's a good practice to get into. upper case, lower case, numbers, so forth. by changing your passwords you make it more difficult for a criminal to access your accounts as long as they are considered what i astrong pass ward. you should be changing your passwords quarterly, semi annually.

for those websites that you don't really visit and there isn't much data on them. an e-mail is a critical account. for a bad guy to own the e-mail, the bad guy owns the person. change that, social, the reason why these accounts are doctored critical, they are access to information, access to contacts. having different passwords like it was already said it's essential as well. having the same password across accounts makes it very easy for hackers to get into additional accounts. >> now take us into the mind of the people who are trying to break through these systems, and corruption them, and do arounds on these new passwords. the university of michigan put out data purposely as a kind of

honey pot operation, an found that they were attacked several times just since the word came out that heart bleed was out there. what is the state of the art for people ? >> heart bleed is different from a lot of security vulnerabilit vulnerabilities. so when it came out it was an hour where people were very curious and they would try it out on various sites. this found very quickly by using one of these scripts once you could sometimes get passwords and log into people's accounts. >> once you do that, what do you do with that information? you got a cookie. you got information from a

security certificate. you got a password. what does that allow you to do? if they are keys, what doors do they open? >> there are two different questions in there. one is if you get a security certificate, if that happens you basically have the keys to the kingdom. you can pre-continued to be a website. you can basically say i'm google.com or i'm yahoo or bank of america, give me all your data. but that actually hasn't--we haven't seen evidence of people who have done that successfully. we have seen people get passwords and such. if you're a spammer and you get pass ward to a twitter account, you could say follow this family. or if you log into someone's e-mail you could e-mail their contacts with smal spam.

you could change their passwords on other website. >> we're going to take a short break. when we come back we'll talk about what stories like this and this is only the latest one in a long series, does to the future of internet commerce. oh

future so this does not have to happen again. >> we're in a world where people are still using the word "password" as their password, and we're depending on them to do something to make the whole system safer? >> yes, human nature will choose pass ward if you let them choose

any password. if you needs your phone or finger scan to access, consumers are going to stay the way they are, and we have to do the best we can as engineers. >> people should take this seriously and make changes right away. >> that's right, always use security warnings as soon as they come out. >> thank you for joining us on this edition. that brings us to the end of "inside story." the program may be over but the conversation continues. we want to hear what you think about this or any day's show. log on to our facebook page where you have changed your pass ward or twitter. or reach me directly at ray suarez news. see you for the next inside stor"insidestory." in washington, i'm ray suarez.

eastern ukraine slides towards chaos, and pro-russian forces continue to protest. >> hello, you are watching, al jazeera, i'm sammy, always on the show, hundreds of high school students missing after their ferry capsizes off of the coast of south korea. nearly a million people in the uk, relying on food handouts. and the future king of australia, or just another britain holiday? we look at attitudes