April 9, 2014

Heartbleed


Everybody across the Internet is vulnerable to this bug.  The Heartbleed bug is a vulnerability in the popular OpenSSL cryptographic software used to implement HTTPS encryption in websites, email servers, and applications. This is what many web applications use to securely transmit information. It's like leaving thieves the keys to the palace. Through this vulnerability hackers can clearly read a server's memory for encryption keys, usernames, passwords, emails, instant messages, credit card numbers, and other sensitive data. Some experts claim that this major vulnerability affects around two-thirds of the web servers. Even a major Web mail service, Yahoo Mail fell victim to this bug, but has since patched it.
 
The bug's official name is CVE-2014-0160, but that name is not very catchy. Experts dubbed it the Heartbleed, since it is a vulnerability in the OpenSSL's implementation of the heartbeat extension of the TLS.
According to Heartbleed.com 
"Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."
 
What should you do?
Checkout the Heartbleed test to see if a server is still using the vulnerable OpenSSL. You can also contact the server's customer service line (if available) to verify.
 
If it is still using this version, do not log into the account. Avoid logging into the site until you know it is safe.
 
If the server is good, immediately change your password, even if you have two-factor authentication enabled. Check out our "commonly common password" post on tips for setting a strong password.
 
Review all bank account and other financial statements for unknown charges, since this vulnerability impacts financial accounts as well. 

References:
Aamoth, D. (2014 Apr 9) How to protect yours against the Heartbleed bug.TIME Magazine. Retrieved from http://time.com/55337/how-to-protect-yourself-against-the-heartbleed-bug/ 
 
Codenomicon. (2014 Apr) The Heartbleed bug. Retrieved from http://heartbleed.com/ 
 
Goodin, D. (2014 Apr 8). Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style. Ars technica. Retrieved from http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ 

Nieva, R. (2014 Apr 8). How to protect yourself from the 'Heartbleed' bug. CNET. Retrieved from http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/ 

2 comments:

  1. this link from c/net seems to be a problem. it came from facebook; yet will not load. can some intelll/security geek check it our

    http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/?ttag=fbwl

    ReplyDelete
    Replies
    1. Thanks for alerting me to the dead link. Try this one instead http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/. I updated the post with this new link.

      Delete