Heartbleed: did security threat lead to insider trading?

Security expert says drop in share price indicates 'tip off' ahead of Heartbleed announcement

Heartbleed logo hacking openSSL

INSIDER trading may have caused a slide in share prices for Yahoo! and other major tech companies in the days before the announcement of the Heartbleed security flaw, a web-based security expert has suggested.

Discovered in early April, the Heartbleed bug allowed attackers to steal data from computers using vulnerable versions of some widely used security programs. It's effects were initially described as "catastrophic".

In the days before it became public knowledge, shares in Amazon, Yahoo!, Microsoft, HP, Dell, and Google all slid noticeably – with Amazon and Yahoo! experiencing particularly steep dips in investor confidence.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.


Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

Bill Buchanan, a professor at Edinburgh Napier University specialising in electronic-crime and online security, notes in The Conversation that stock prices fell by between three and 10 per cent two days before the news of the Heartbleed bug broke on 9 April.

He goes on to claim that early warning of the bug's existence was probably given to the companies affected by security authorities, in order to give them time to get their systems ready ahead of the so-called "day zero threat" when hackers were expected to begin looking for ways to exploit the security flaw.

But, Buchanan says, "it could be that this information was also leaked to insiders who then sold their stocks in the major IT companies, waiting for a time to repurchase them at a tidy profit".

When news of the threat eventually broke on 9 April, Yahoo! stock lost 9.4 per cent, Amazon lost 8.3 per cent, and Microsoft went down by almost 5 per cent, even though it was not exposed to the bug.

This may have been due to fears about internet security in general, but Buchanan says it could have been prompted by traders in the know selling stock while values were high, and then rebuying them at their lowest point.

Regardless, some traders "may have done well" from the swift bounce, Buchanan says, and "the evidence suggests that there could have been some insider trading taking place in the days before the story became big news".

Heartbleed security threat: is it time to change your passwords?

11 April

ADVICE still varies on how web users should respond to the Heartbleed security breach, but some sites are now advising customers to change their passwords.

Security experts have advised caution, warning people not to update password before sites have patched the flaw or they risk giving hackers their new password too.

The Heartbleed bug has been described as a "catastrophic" breach of internet security and independent security expert Bruce Schneier claims on his blog that "on the scale of 1 to 10, this is an 11". See below for a full briefing on the topic.

Websites have been scrambling to apply a fix, and many of the bigger sites now say that they are secure. Google told the MailOnline that its users do not need to update their passwords for services including YouTube and Gmail. A spokesman for Google said: “The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords.”

Facebook, which has more than 1.2 billion account holders worldwide, has said that it too is safe from the threat, but still encouraged "people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."

Yahoo is the only major site that has explicitly advised its users to change their passwords.

Current advice from major sites

Google: Search, Gmail, YouTube, Wallet and Play store were all affected, but Chrome was not. Google said users don’t need to change their passwords, but some security analysts still advise that it is a good idea.

Facebook: In a statement, the firm said: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity.” Nevertheless, the social network suggested people may want to change their passwords anyway, as it is good practice.

Yahoo: Site urged all customers to change their passwords now.

Netflix: Said in a statement “we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact.”

Instagram: Still believed to be vulnerable. Users should not change their passwords until the site announces it is patched.

Hotmail, Outlook and Bing: Microsoft services are believed to be entirely unaffected.

Twitter: Site unaffected.

PayPal: The company said in a statement that the site is secure.

Filippo Valsorda, an Italian cryptography consultant, has built a tool to help users determine whether a particular website is still at risk.

Heartbleed internet security flaw: are you at risk?

9 April

A MASSIVE lapse in online security has put the privacy of millions of internet users at risk.

Data on many of the world's major websites has been made vulnerable by a bug nicknamed "Heartbleed". Researchers at Google Inc and a security firm named Codenomicon exposed the problem, leading the Department of Homeland Security to advise many online services to check their vulnerability.

So who is at risk? What should we all do about it?

What is Heartbleed?According to Codenomicon, the Heartbleed bug is a weakness that allows information on the internet, which would normally be protected by a type of encryption called OpenSSL, to be stolen.

OpenSSL was devised to provide communication security for applications including web, email, and instant messaging. It works by scrambling data, making it appear as gibberish to anyone but its intended recipient. Occasionally computers send a small package of data, known as a "heartbeat" to check that another computer is still connected. Due to an error in OpenSSL, it is possible to create fraudulent heartbeats that appear legitimate, tricking computers into sending data stored in their memory.

Using this technique it is possible that many internet users have had their online profiles, passwords, emails and other online content intercepted and stolen.

Am I at risk?Probably. Writing on Vox.com Timothy Lee says: "There aren't precise statistics available, but the researchers who discovered the vulnerability note that the two most popular web servers, Apache and nginx, use OpenSSL. Together, these vulnerable servers account for about two-thirds of the sites on the web."

A spokesperson for Yahoo Inc confirmed that Yahoo Mail had been affected, but it was now fixed. Patches have also been applied across Yahoo's suite of sites and services including Flickr, Tumblr and Yahoo Search.

Google issued a statement saying "we have assessed the SSL vulnerability and applied patches to key Google services". Facebook said that it too had already addressed the problem by the time it went public yesterday. Microsoft announced that it would take steps to ensure its customers' security.

How do I know if I have been hacked?Computer security experts warn that many victims won't be able to tell if their data has been put at risk. "We have tested some of our own services from the attacker's perspective. We attacked ourselves from outside, without leaving a trace," Codenomicon says.

What should I do about it?Business Insider says that users should assume that all of their online accounts may have been compromised and should change all their passwords immediately.

The New York Times urges greater caution. "Wait a day or so. Then change the passwords on the web services you use," it says. Immediately changing passwords risks exposing them on sites that have not yet corrected the bug, explains the paper. "There's nothing users can do until the web services have made their sites secure," adds Mark Seiden, an independent computer security consultant.

Website Cult of Mac advises the same approach. "Wait until you know a site has been patched before changing passwords," it says. It adds that all passwords should be changed, "especially for sensitive sites like banks, credit cards and webmail".

Also, make sure your new passwords are all different, don't use the same one across all sites. Seiden suggests varying a password around a core theme.

"Pick out a core password of a mixture of six letters and numbers that are not a word," he advises. "You pick the second and third letter of a service, to avoid being obvious. If the service is Yahoo, the letters are 'a' and 'h.' Those are added at the front or back of your core password, or one letter at the front and the other at the back."

Continue reading for free

We hope you're enjoying The Week's refreshingly open-minded journalism.

Subscribed to The Week? Register your account with the same email as your subscription.