Heartbleed bug

Central Scrutinizer

Administrator
Staff member
Critical Security Bug 'Heartbleed' Hits Up To 66 Percent Of The Internet
The Huffington Post | by Betsy Isaacson

Posted: 04/08/2014 5:08 pm EDT

The Heartbleed bug has affected the back end of a full two thirds of the internet.

As much as 66 percent of the Web may have been compromised by a newly revealed security flaw called Heartbleed.

So named by the researchers who discovered it, Heartbleed is a bug that affects an important internet security protocol called SSL. Specifically, it affects one particular implementation of SSL called OpenSSL.

For context (and to understand how bad Heartbleed is), here's how SSL and OpenSSL work: Every time you log into a website, your login credentials are sent to that website's server. But in most cases those credentials aren't simply sent to the server in plain text -- they're encrypted using a protocol called Secure Sockets Layer, or SSL.

As with most protocols, different software makers have created different implementations of SSL. One of the most popular is an open-source implementation called OpenSSL, used by an estimated two thirds of currently active websites.

Heartbleed is a bug in OpenSSL. Hackers can exploit Heartbleed to get raw text from emails, instant messages, passwords, even business documents -- anything a user sends to a vulnerable site's server.

And the scariest part? The Heartbleed security flaw existed for nearly two years before it was discovered by legitimate researchers. That's plenty of time for black-hat hackers to have discovered and exploited the bug.

So what can users do? Matthew Prince, CEO of content delivery network Cloudflare, one of the first businesses to be notified of the bug, told The Huffington Post that sadly, there's not much normal netizens can do to protect themselves. "When you finish using a website, make sure to actively log out," Prince advised -- that makes it less likely that a hacker exploiting Heartbleed will be able to take your personal information.

Prince also put in a word of comfort: "Heartbleed is so serious -- it's such a big, bad event -- that almost every major service is scrambling to clean it up as quickly as possible." He estimated that most currently vulnerable websites will be "patched" by the end of the week.

Though a number of major websites have already been patched, others, including OKCupid, Flickr, Imagur and Yahoo.com, reportedly remain vulnerable to Heartbleed.

Users can test if their favorite websites are vulnerable here, though this service is reportedly not 100 percent reliable. Vulnerable sites should not be logged into until they're patched -- check those sites' blogs or Twitter feeds for updates -- and once a website has its patch in place, you should change your password for that site as soon as possible.
 

Kat

Administrator
Staff member
How To Protect Yourself From This New Terrifying Security Flaw Called 'Heartbleed'
The Huffington Post | by Alexis Kleinman

Posted: 04/09/2014 http://www.huffingtonpost.com/2014/04/09/heartbleed-protect_n_5117268.html

There's a big problem with one of the tools used to protect your data as it travels over the Internet.

The bug, revealed on Monday by security researchers at Google and at an independent firm called Codenomicon, is called Heartbleed, and it compromises at least 66 percent of active websites, according to the team that discovered it.

Whenever data (passwords, usernames, etc.) is sent through the Internet, it gets encrypted, or turned into a code, so hackers can't access it. What makes the Heartbleed flaw truly scary is that it can allow hackers to break that encryption and access to your emails, passwords, documents and instant messages across such a large swath of the Internet. Though just discovered, this bug has likely existed for two years.

In short, it's a nightmare. So how can you protect yourself now?

You can and should check to see if websites you frequent have been impacted by the bug before you visit them again. You can download this Chrome extension, Chromebleed, that warns you when a site you're visiting has been affected.

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

You can also plug in a website to check if it's impacted on this webpage set up by Italian security consultant Filippo Valsorda. This test is not foolproof though, so don't rely on it alone.
 

Central Scrutinizer

Administrator
Staff member
The Heartbleed Bug Goes Even Deeper Than We Realized -- Here's What You Should Do
The Huffington Post | by Alexis Kleinman

Posted: 04/11/2014 http://www.huffingtonpost.com/2014/04/11/heartbleed-routers_n_5132306.html

Cisco Systems and Juniper Networks, two of the biggest creators of Internet equipment, announced on Thursday that their products had been impacted by the Heartbleed bug. Routers, firewalls and switches from these manufacturers and others have all likely been affected by the bug, leaving your personal information at risk of being stolen by hackers.

When information is passed through the Internet, it is encrypted, meaning it is turned into unreadable code, so it can't be easily read and stolen. If you have Internet at home, it goes through a router, a small device that connects different networks together.

On Monday, researchers at security firm Codenomicon and Google Security's Neel Mehta discovered the Heartbleed bug, which leaves some private information, such as passwords and usernames, open to theft. And now Internet equipment companies have discovered hackers could have access to your personal information through your home router.

So what should you do?

Stay away from public Wi-Fi. You never know what kinds of routers and firewalls public places are using, let alone whether or not they have taken the proper precautions against Heartbleed. You're better off not taking any chances and staying away from public Wi-Fi until this gets settled.

Change your passwords for the sites that have been patched. Don't go around changing all of your passwords willy nilly. If an affected website hasn't patched itself up, it's useless to change your password since the new one could be stolen too. You should change your passwords on the following sites, since they, according to Mashable, have been patched:

Change your passwords for Google (and Gmail), Yahoo (and Yahoo Mail), Facebook, Pinterest, Instagram, Tumblr, Etsy, GoDaddy, Intuit, USAA, Box, Dropbox, GitHub, IFTTT, Minecraft, OKCupid, SoundCloud and Wunderlist. As more companies create patches to Heartbleed, this list will likely grow.

Keep an eye on your credit card and bank statements. If, in the worst case scenario, your identity or personal information was stolen, you probably wouldn't know it right away. You should be periodically checking to make sure there aren't any strange charges on your accounts, just in case.

Download software updates when they become available. In a message to customers, Cisco revealed that the Heartbleed bug, a problem with the encryption of data online, may allow hackers to get access to people's passwords, usernames and other information.

Cisco has released a complete list of all vulnerable products and is working on creating free software updates to protect customers. Juniper has also published a list of vulnerable devices and is working on a solution.

Until these companies release software updates, go figure out what kind of router your home or business has and check back on that company's site every few days to see if a software update is available for download. It could take some time, so be patient.

Turn off your router's remote access. "In the case of home routers, if it's a router that you purchased yourself, almost all of them provide the capability to disable remote access," Adam Allred, a research technologist at the Georgia Tech College of Computing, told The Huffington Post. "Most routers take the home network and the Internet that they connect to and split them into two pieces. Remote access describes the ability to get to your home router from the Internet outside of your home."

Most people don't really need remote access unless they are trying to configure their router from elsewhere, Allred says. Turning it off can make it less likely for hackers to be able to come in and exploit your home router and it wont change your experience at all.

People with newer routers should download patches when they become available, and if your router was provided by your ISP (AT&T, Comcast, etc.) Allred recommends that you contact them and ask if they have any plans to patch home routers.

Only if you have an older router that you purchased yourself, patches aren't available and you need to use remote access for some reason should you consider getting a new router.
 

Sophie

Samurai
http://www.bbc.com/news/technology-26985818

11 April 2014

US government warns of Heartbleed bug danger
By Leo Kelion Technology desk editor

The US government has warned that it believes hackers are trying to make use of the Heartbleed bug.

The Department of Homeland Security advised the public to change passwords for sites affected by the flaw once they had confirmed they were secure.

However, an official added that there had not been any reported attacks or malicious incidents.

The alert comes as several makers of net hardware and software revealed some of their products had been compromised.....



Also
'A mistake'

A German computer programmer has accepted responsibility for the emergence of the Heartbleed bug, according to a report in the Sydney Morning Herald.

Robin Seggelman, a 31 year old from Oelde - 120 miles (193km) north of Frankfurt - is reported to have made the mistake while trying to improve the OpenSSL cryptographic library on 31 December 2011.

"It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he told Fairfax Media.

"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
 

De Master Yoda

Emeritus
It would make good sense to change our passwords in any case.
 

Miyuki

Administratrix
Staff member
Not until the tekkies fix the problem. Otherwise you are just telling the spies what your new password is.
 
Top