GREENFIELD — Even though a giant security hole was discovered on the Internet earlier this week, officials at NineStar Connect in Hancock County say its Internet customers have not been placed at risk.
Experts from Finnish security firm Codenomicon and a Google engineer working separately stumbled into the hole, known as the “Heartbleed” bug, on Tuesday and found that a large segment of presumably secure web traffic was not quite as secure as previously thought.
“It affected about two-thirds of the secure Internet Web servers on the net,” said Ross Ferson, director of network operations for NineStar.
Experts aren’t sure whether the flaw was ever discovered by hackers, but the vulnerability has existed for more than two years and affects the encryption technology designed to protect online accounts such as email and ecommerce, allowing passwords and credit card information to potentially be snatched in real time as they pass from browser to server.
The leak affected only a form of encryption technology known as OpenSSL; however, that particular platform is one of the most commonly found security buffers on the Internet, signaled by a small green padlock and “https:” on Web browsers.
Though an extraordinary number of servers in the virtual world were compromised by the flaw, only a few internal servers at NineStar were affected, Ferson said, and none of the company’s customer-facing servers were deemed vulnerable.
The problem was not the result of a hack or attack but design vulnerability in the security program itself, Ferson said.
Though NineStar servers used by its Internet customers were not at risk, the company quickly utilized a “patch” that was issued shortly after the bug was discovered.
“The discovery was made on April 8, and by the morning of April 9 we had the patch in place. In about two hours we were patched,” Ferson said.
“We just wanted to reassure our customers that we have to be and are ever vigilant and always on guard to take precautions,” said David Spencer, NineStar director of marketing.
Spencer said the company always encourages its customers to do their own due diligence and change their passwords; however, experts advise checking with their banks and other Web service providers to ensure those sites have been patched and protected before sending information through them.
“The one thing we don’t want people to do is change their passwords too soon,” Ferson said.
Though the fix has been released, it’s up to site administrators to implement it, and reputable websites should advise customers of the Heartbleed bug status on their home pages to inform customers, Ferson said.
The IRS released a statement Wednesday saying it is not affected by the bug or aware of any security flaws. Taxpayers were advised to continue filing normally ahead of the April 15 deadline.
The Associated Press contributed to this story.