Recently, a major security vulnerability named “Heartbleed” has made headlines around the world. This is a severe vulnerability stemming from a coding mistake in a widely-used security utility called OpenSSL.
The bug affects the encryption technology designed to protect your sensitive data on the Internet, like usernames, passwords and emails.
This is a flaw in the OpenSSL encryption code, not a virus that can be stopped by McAfee or other consumer security software. Because this vulnerability takes advantage of servers, and not consumer devices, businesses need to update to the latest version of OpenSSL to mitigate and address the dangers posed.
The severity of the Heartbleed vulnerability cannot be overstated: several major enterprises use OpenSSL, and are likely affected by this vulnerability as well. The dangers posed by this vulnerability are very real and could affect you if exploited.
So what do you need to do?
- Right now, the best thing you can do is wait to be notified about affected services and patches or you can.
- If you’d like to investigate whether or not a website you frequent has been affected, you can use this tool.
- Reset your password for every online service affected by Heartbleed. But beware:you should only change your password after the afflicted business has fixed its servers to remove the Heartbleed vulnerability. Changing your passwords before a company’s servers are updated will not protect your credentials from being leaked.
You’re likely affected either directly or indirectly by the bug, which was found by a member of Google’s security team and a software firm named Codenomicon.
The bad news: There’s not a lot you can do about it now. It’s the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take action.
The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services. In theory, a cybercriminal could have exploited Heartbleed by making network requests that could piece together your sensitive data.
The good news: There isn’t any indication that a hacker caught wind of this; it seems the researchers were the first to locate the problem.
But the scary part is that attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence. Thus, it’s hard to determine whether someone ever exploited the bug, or if your account information was compromised.
What to do
First, check which sites you use are affected. If you don’t want to read through the long list of websites with the security flaw, the password security firm LastPass has set up a Heartbleed Checker, which lets you enter the URL of any website to check its vulnerability to the bug and if the site has issued a patch.
Next, change your passwords for major accounts — email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. That patch should also include reissuing any digital certificates that might be vulnerable. However, if the site or service hasn’t patched the flaw yet, there’s no point to changing your password. Instead, ask the company when it expects to push out a fix to deal with Heartbleed.
A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren’t logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.
It’s important to wait to get the “all clear” sign from a company or service before changing, especially now that this bug is out in the open. Changing a password before the bug is fully patched wont’ make things any better.
Facebook and Twitter use OpenSSL web servers, though it’s still unclear whether or not they were vulnerable to the issue.Facebook reportedly issued a security patch, as did Google.
Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai.
Some websites not considered vulnerable include AOL, Foursquare and Evernote, among others.
“It’s a big deal for Internet users, especially when it comes to protecting financial information,” Joe Siegrist, CEO and cofounder of LastPass, told. “Some financial organizations are using more conservative web security choices like Microsoft, which is not vulnerable to the bug, so users should check and see if their bank has been affected.”
Make sure to keep an eye on sensitive online accounts, especially banking and email, for suspicious activity for the next week or so.
Heartbleed checker tools:
lets hope for the best. 🙂