Wednesday, April 16, 2014

Google patents smart contact lens system with a CAMERA built in

Glass without the glasses: Google patents smart contact lens system with a CAMERA built in

·         Lens has camera built in
·         Could be developed to help the blind see and give them guidance
·         Could also give wearer 'supervision' with ability to zoom
·         Could shrink Glass to fit on a pair on lenses
·         Firm already developing lenses with screen and medical sensors built in
·         Project developed in secretive Google X lab

Google has patented a smart contact lens that could see its Glass wearable computer fit inside a smart lens.
The firm has already developed a contact lens for diabetics analyses their tears, warning them if their glucose levels are low.

Now it has revealed plans for a lens with a camera built in - opening the possibility of its Glass system being shrunk down significantly, offering features such as 'superzoom' to wearers and even helping the blind see.

+5
Glass without the glass: Google patent contact lens camera

HOW IT WORKS

The Google lens contains a control circuit, an image capture (camera) component and an image sensor.

The system can be wirelessly linked to a mobile phone for data access and to issue commands via audio, although it is unclear if the lens would be powered wirelessly or have a wired link to a battery.

According to PatentBolt, the system could even be used to help the blind see.

'For example, a blind person wearing Google's contact lens with a built-in camera may be walking on a sidewalk and approaching an intersection,' it says.

'The analysis component of the contact lens can process the raw image data of the camera to determine processed image data indicating that the blind person is approaching intersection with a crosswalk and establish that there is a car approaching the intersection.'

The lens also has wireless capabilities allowing it to link to a smartphone, which can be used to process data and give the user audio commands.

Google also says the system will be able to detect faces, potentially allowing the blind to recognise people.

The firm has already developed a smart lens capable of measuring the glucose level of diabetics. 
5
Google is testing a prototype for a smart contact lens that we built to measure glucose in tears continuously using a wireless chip and miniaturized glucose sensor.

HOW IT WORKS - DIABETIC'S LENS


The smart contact lens can measure glucose levels in tears using a tiny wireless chip and miniaturized glucose sensor that are embedded between two layers of soft contact lens material. 

Prototypes generate a reading once per second. 

Google is also investigating the potential for this to serve as an early warning for the wearer, integrating tiny LED lights that could light up to indicate that glucose levels have crossed above or below certain thresholds.

'You’ve probably heard that diabetes is a huge and growing problem—affecting one in every 19 people on the planet,' Google said in a blog post announcing the research.

'But you may not be familiar with the daily struggle that many people with diabetes face as they try to keep their blood sugar levels under control. 

'Uncontrolled blood sugar puts people at risk for a range of dangerous complications, some short-term and others longer term, including damage to the eyes, kidneys and heart. 

'A friend of ours told us she worries about her mom, who once passed out from low blood sugar and drove her car off the road' 

The project's co-founders,  Brian Otis and Babak Parviz, say they hope the technology could eventually become commonplace.
+5
How it works: The chip includes a sensor, chip and antenna to let wearers know when their glucose levels are dangerously low

The firm is already in discussion with the FDA over the project 

'We’re now testing a smart contact lens that’s built to measure glucose levels in tears using a tiny wireless chip and miniaturized glucose sensor that are embedded between two layers of soft contact lens material,' they said.

'We’re testing prototypes that can generate a reading once per second. 

How they are made: The process starts with a tiny chip, which is then mounted on a ring with the antenna and sensor, and finally mounted onto the lens.

The technology is sandwiched inbetween two lenses

'We’re also investigating the potential for this to serve as an early warning for the wearer, so we’re exploring integrating tiny LED lights that could light up to indicate that glucose levels have crossed above or below certain thresholds. 

'It’s still early days for this technology, but we’ve completed multiple clinical research studies which are helping to refine our prototype. 

'We hope this could someday lead to a new way for people with diabetes to manage their disease.'

The firm is in discussions with the FDA, but says 'there’s still a lot more work to do to turn this technology into a system that people can use.

It hopes to work with other medical firms to develop the lenses and other smart health monitoring devices.


http://www.dailymail.co.uk/sciencetech/article-2604543/Glass-without-glasses-Google-patents-smart-contact-lens-CAMERA-built-in.html


Monday, April 14, 2014

Google Buys Drone Company Titan Aerospace

Google Buys Drone Company Titan Aerospace
 JAY YAROW    
APR. 14, 2014, 2:03 PM 

Google has acquired drone maker Titan Aerospace, the Wall Street Journal reports.
Titan is a New Mexico-based company that makes high-flying solar powered drones.

There's no word on the price Google paid, but Facebook had been in talks to acquire the company earlier this year for a reported $60 million. Presumably, Google paid more than that to keep it away from Facebook.

It sounds like Titan will work on a variety of projects for Google.

Titan will be able to collect photos from around the planet from high up, which could help with Google Earth and Google Maps.

It will also contribute to Google's Project Loon, which is sending balloons into the atmosphere which then beams Internet to parts of the world that are not yet connected.

It's also likely to work with Makani, another company Google bought, that gets wind power high in the sky, and delivers the energy back to earth through a long cable.

Google confirmed the acquisition to the Journal, and a spokesperson said, "It's still early days, but atmospheric satellites could help bring internet access to millions of people, and help solve other problems, including disaster relief and environmental damage like deforestation."

Titan's drones could potentially be in the air for five years at a time, relying on solar power to stay aloft, according to a report from last year.
   

http://www.businessinsider.com/google-buys-drone-company-titan-aerospace-2014-4

Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say

Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say
By DAVID E. SANGERAPRIL 12, 2014

WASHINGTON — Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.

But elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.

Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.

“This process is biased toward responsibly disclosing such vulnerabilities,” she said.

Until now, the White House has declined to say what action Mr. Obama had taken on this recommendation of the president’s advisory committee, whose report is better known for its determination that the government get out of the business of collecting bulk telephone data about the calls made by every American. Mr. Obama announced last month that he would end the bulk collection, and leave the data in the hands of telecommunications companies, with a procedure for the government to obtain it with court orders when needed.

But while the surveillance recommendations were noteworthy, inside the intelligence agencies other recommendations, concerning encryption and cyber operations, set off a roaring debate with echoes of the Cold War battles that dominated Washington a half-century ago.

One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes — the reason the N.S.A. was established by Harry S. Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products. In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software. Their motives were hardly pure: Foreign companies see the N.S.A. disclosures as a way to bar American competitors.

Another recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.

The N.S.A. made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.

Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.

“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”

At the center of that technology are the kinds of hidden gaps in the Internet — almost always created by mistake or oversight — that Heartbleed created. There is no evidence that the N.S.A. had any role in creating Heartbleed, or even that it made use of it. When the White House denied prior knowledge of Heartbleed on Friday afternoon, it appeared to be the first time that the N.S.A. had ever said whether a particular flaw in the Internet was — or was not — in the secret library it keeps at Fort Meade, Md., the headquarters of the agency and Cyber Command.

But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.

The government has become one of the biggest developers and purchasers of information identifying “zero days,” officials acknowledge. Those flaws are big business — Microsoft pays up to $150,000 to those who find them and bring them to the company to fix — and other countries are gathering them so avidly that something of a modern-day arms race has broken out. Chief among the nations seeking them are China and Russia, though Iran and North Korea are in the market as well.

“Cyber as an offensive weapon will become bigger and bigger,” said Michael DeCesare, who runs the McAfee computer security operations of Intel Corporation. “I don’t think any amount of policy alone will stop them” from doing what they are doing, he said of the Russians, the Chinese and others. “That’s why effective command and control strategies are absolutely imperative on our side.”

The presidential advisory committee did not urge the N.S.A. to get out of the business entirely. But it said that the president should make sure the N.S.A. does not “engineer vulnerabilities” into commercial encryption systems. And it said that if the United States finds a “zero day,” it should patch it, not exploit it, with one exception: Senior officials could “briefly authorize using a zero day for high priority intelligence protection.”

A version of this article appears in print on April 13, 2014, on page A8 of the New York edition with the headline: Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say.



Saturday, April 12, 2014

Turkey PM threatens to 'go after' Twitter for tax evasion

Turkey PM threatens to 'go after' Twitter for tax evasion
AFP By Fulya Ozerkan
21 minutes ago

Ankara (AFP) - Turkey's prime minister said Saturday he will "go after" Twitter, accusing the site of tax-evasion, after it was used to spread damaging leaks implicating his inner circle in corruption claims.

In a televised speech, Recep Tayyip Erdogan also launched a tirade against the nation's highest court for ruling against a ban on Twitter, charging that it put the rights of businesses above that of Turkey's.

"Twitter, YouTube and Facebook are international companies established for profit and making money," Erdogan said.

"Twitter is at the same time a tax evader. We will go after it," he added.

"These companies, like every international company, will abide by my country's constitution, laws and tax rules".

Erdogan's government on March 20 banned access to the social media site over the leaks, sparking outrage among Turkey's NATO allies and international human rights groups who viewed it as a setback for democracy in the EU-hopeful country.

Ankara had to lift the ban on April 3 after its highest court ruled the blocade breached the right to free speech.

-'Interference in politics'-

Erdogan again blasted the constitutional court's verdict on Saturday, criticising it for "advocating commercial law of international companies instead of defending the rights of its own country and its own people".

"This amounts to interference in politics," he said.

"We abided by the (court) ruling on (Twitter), but I say it again, I don't respect it," he said.

The ban had been widely circumvented by many of Turkey's almost 12 million Twitter users -- including President Abdullah Gul -- who have instead sent tweets via text message or by adjusting their Internet settings.

Erdogan's government also blocked YouTube on March 27 after the popular video sharing site was used to leak a top-secret security meeting of the country's civilian and military officials discussing war scenarios for neighbouring Syria.

Turkish authorities said last week the ban on YouTube would remain in place in defiance of court orders.

Erdogan, Turkey's strongman premier for 11 years, ordered the Internet curbs in the lead-up to March 30 municipal elections, in which his party chalked up sweeping wins despite the claims of sleaze and graft.

He has blamed online leaks on shadowy supporters of influential US-based Islamic cleric Fetullah Gulen known as Gulenists, many of whom hold key positions in the police and judiciary.

Erdogan's latest attack against the country's highest court also comes a day after it annulled the most controversial clause of a law giving the justice ministry greater control over the appointment of judges and prosecutors.

The law, which sparked fistfights among lawmakers debating it in parliament, was one of the retaliatory measures taken by Erdogan in the wake of the vast graft scandal which erupted in mid-December implicating his key political and business allies.

Erdogan said Saturday that the court was showing an "increasing appetite for interference in political sphere" while turning a blind eye to the existence of what he called a "parallel structure" within the state, referring to Gulenists.

"I always say it: those who want to do politics should leave their seat, take off their robes and do politics under the roof of political parties," he said.

"I want everyone to know that that seat or that robe may render you powerful today but you must know that it will harm the country and the people," he said, in a direct attack at the court's judges.

"We will never allow such tensions in our country. Turkey has no tolerance for tensions or non-political interference".



NSA Said to Exploit Heartbleed Bug for Intelligence for Years

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
By Michael Riley  Apr 11, 2014 9:00 PM PT 

April 11 (Bloomberg) -- The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” according to an e-mailed statement from the Office of the Director of National Intelligence.

Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

Controversial Practice

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.”

Experts say the search for flaws is central to NSA’s mission, though the practice is controversial. A presidential board reviewing the NSA’s activities after Edward Snowden’s leaks recommended the agency halt the stockpiling of software vulnerabilities.

When new vulnerabilities of the Heartbleed type are discovered, they are disclosed, the Office of the Director of National Intelligence said in response to the Bloomberg report. A clear process exists among agencies for deciding when to share vulnerabilities, the office said in a statement.

“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet,” Shawn Turner, director of public affairs for the office, said in the statement. “Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.”

Hunting Flaws

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

NSA Spying

The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyber-attacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

Ordinary Internet users are ill-served by the arrangement because serious flaws are not fixed, exposing their data to domestic and international spy organizations and criminals, said John Pescatore, director of emerging security trends at the SANS Institute, a Bethesda, Maryland-based cyber-security training organization.

One Agency

“If you combine the two into one government agency, which mission wins?” asked Pescatore, who formerly worked in security for the NSA and the U.S. Secret Service. “Invariably when this has happened over time, the offensive mission wins.”

When researchers uncovered the Heartbleed bug hiding in plain sight and made it public on April 7, it underscored an uncomfortable truth: The public may be placing too much trust in software and hardware developers to insure the security of our most sensitive transactions.

“We’ve never seen any quite like this,” said Michael Sutton, vice president of security research at Zscaler, a San Jose, California-based security firm. “Not only is a huge portion of the Internet impacted, but the damage that can be done, and with relative ease, is immense.”

The potential stems from a flawed implementation of protocol used to encrypt communications between users and websites protected by OpenSSL, making those supposedly secure sites an open book. The damage could be done with relatively simple scans, so that millions of machines could be hit by a single attacker.

Exploiting Flaw

Questions remain about whether anyone other than the U.S. government might have exploited the flaw before the public disclosure. Sophisticated intelligence agencies in other countries are one possibility.

If criminals found the flaw before a fix was published this week, they could have scooped up troves of passwords for bank accounts, e-commerce sites and e-mail accounts worldwide.

Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did, suggested Tal Klein, vice president of marketing at Adallom, in Menlo Park, California.

The fact that the vulnerability existed in the transmission of ordinary data -- even if it’s the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.

Determining Risk

“They actually have a process when they find this stuff that goes all the way up to the director” of the agency, Lewis said. “They look at how likely it is that other guys have found it and might be using it, and they look at what’s the risk to the country.”

Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

The SSL protocol has a history of security problems, Lewis said, and is not the primary form of protection governments and others use to transmit highly sensitive information.

“I knew hackers who could break it nearly 15 years ago,” Lewis said of the SSL protocol.

That may not soothe the millions of users who were left vulnerable for so long.

Panel’s Recommendation

Following the leaks about NSA’s electronic spying, President Barack Obama convened a panel to review surveillance activities and suggest reforms. Among the dozens of changes put forward was a recommendation that the NSA quickly move to fix software flaws rather that exploit them, and that they be used only in “rare instances” and for short periods of time.

“If the NSA knows about a vulnerability, then often other nation states and even criminal organizations can exploit the same security vulnerability,” said Harley Geiger, senior counsel for the Center for Democracy & Technology in Washington. “What may be a good tool for the NSA may also turn out to be a tool for organizations that are less ethical or have no ethics at all.”

Currently, the NSA has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers, according to a person briefed on the matter. Intelligence chiefs have said the country’s ability to spot terrorist threats and understand the intent of hostile leaders would be vastly diminished if their use were prohibited.

To contact the reporter on this story: Michael Riley in Washington at michaelriley@bloomberg.net

To contact the editors responsible for this story: Sara Forden at sforden@bloomberg.net Winnie O’Kelley


Thursday, April 10, 2014

US Internet ad revenue surpasses broadcast TV for the first time

US Internet ad revenue surpasses broadcast
Report: US Internet ad revenue surpasses broadcast TV for the first time
Associated Press
18 minutes ago

NEW YORK (AP) -- For the first time, U.S. Internet advertising revenue has surpassed that of broadcast television thanks to sharp growth in mobile and digital video ads.

That's according to a report from the Interactive Advertising Bureau, which said Thursday that Internet advertising revenue rose 17 percent to a record $42.8 billion in 2013. Broadcast TV ad revenue, in comparison, was $40.1 billion in 2013.

Mobile advertising revenue more than doubled to $7.1 billion from $3.4 billion in 2012 as companies like Facebook, Google and Twitter boosted their mobile presence.

IAB is made up of more than 600 media and technology companies that sell most of the online advertising in the U.S. The report is based on a survey conducted by PricewaterhouseCoopers.


Tuesday, April 8, 2014

Flaw Found in OpenSSL - the Key Method for Protecting Data on the Internet

Flaw Found in Key Method for Protecting Data on the Internet
By NICOLE PERLROTH  APRIL 8, 2014, 5:08 PM

On Monday, several security researchers, including from Google, uncovered a major vulnerability called “Heartbleed” in the technology that powers encryption across the Internet.

The tiny padlock next to web addresses that promised to protect our most sensitive information — passwords, stored files, bank details, even Social Security numbers — is broken.

A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.

On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.

The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of web servers. It was revealed Monday by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga, Calif., and two security engineers at Google.

Researchers are calling the bug “Heartbleed” because it affects the “heartbeat” portion of the OpenSSL protocol, which pings messages back and forth. It can and has been exploited by attackers.

The bug allows attackers to access the memory on any web server running OpenSSL and take all sorts of information: customer usernames and passwords, sensitive banking details, trade secrets and the private encryption keys that organizations use to communicate privately with their customers.

What makes the Heartbleed bug particularly severe is that it can be used by an attacker without leaving any digital crumbs behind.

“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, the chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”

Three security researchers at Codenomicon’s offices in Oulu, Finland, first discovered the bug last Thursday. The researchers, Antti Karjalainen, Riku Hietamäki and Matti Kamunen, immediately alerted the Finnish authority that is charged with responsibly disclosing security bugs. As it turned out, a security researcher at Google, Neel Mehta, had also discovered the bug and the Google security team had been working on a fix.

On Monday, the open-source team that oversees OpenSSL issued a warning to people and organizations about the bug, and encouraged anyone using the OpenSSL library to upgrade to the latest version, which fixes the problem.

Security researchers say it is impossible to know whether an attacker used the bug to steal a victim’s information, but found evidence that attackers were aware of the bug and had been exploiting it. Researchers monitoring various “honeypots” — stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.

But actual victims are out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Mr. Chartier said. “That’s what makes it so vicious.”

Security researchers are warning organizations to get new private encryption keys as quickly as possible, and warning people to start changing their usernames and passwords immediately, particularly for sensitive accounts like their online banking, email, file storage and e-commerce accounts.

“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr’s security team wrote on their site.

“This might be a good day to call in sick and take some time to change your passwords everywhere— especially your high-security services like email, file storage and banking, which may have been compromised by this bug.”

Mr. Chartier advised users to consider their passwords gone. “Companies need to get new encryption keys and users need to get new passwords immediately,” he said. “And do it quickly.”