It is being universally described as “catastrophic” and “the biggest security threat the internet has ever seen”… it is called Heartbleed.
Heartbleed – What is it?
“Heartbleed” is the name given to a bug recently discovered in a component of the widely utilized OpenSSL open source toolkit. The vulnerability can be exploited to overcome encryption and mine (gather) personal information including credit card details, passwords, and banking details, etc.
OpenSSL (Secure Sockets Layer) is a technology utilized by literally millions of sites to encrypt and protect communications, passwords and other sensitive information transmitted to and from users. For example; when you log-on to a bank site, pay for online purchases by credit card, or communicate with any site where data security is critical, chances are it will be using OpenSSL.
From: Heartbleed.com
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Heartbleed – What Sites are Affected?
Exact numbers are nigh on impossible to ascertain but almost certainly all sites running OpenSSL versions 1.0.1 through 1.0.1f with the ‘heartbeat’ extension enabled would be vulnerable. According to website monitoring company Netcraft, this could number more than half a million sites. An updated ‘fixed’ version of OpenSSL (OpenSSL 1.0.1g) has since been released and affected sites are being urged to update as soon as possible. However, considering the vast numbers involved, this could take quite some time to complete.
Following all the publicity generated by the discovery of the Heartbleed bug, a number of sites have now initiated services to help identify vulnerable sites. One of the most thorough lists of major sites and their current status is available on Mashable, here: The Heartbleed Hit List: The Passwords You Need to Change Right No
There are also quite a few services available that will scan a specific site for you and let you know whether it is vulnerable or not:
- http://filippo.io/Heartbleed/
- http://heartbleed.criticalwatch.com/
- https://www.ssllabs.com/ssltest/
Heartbleed – What You Should Do
The original, and somewhat hasty advice was to immediately change all passwords. However, as advisories realized that changing passwords on sites still affected by the bug would be defeating the purpose, that advice has since been adjusted accordingly.
So, the general consensus now is to check all your log-on sites through one or more of the online vulnerability scanners listed above and change the password only for those sites which are showing as not vulnerable. For those sites showing as vulnerable, wait until they have fixed the issue and then change your password. Under no circumstances should you log-on to a vulnerable site.
Brian Krebs, for example, offers the following advice in a related article recently posted on his KrebsOnSecurity blog:
I believe it is a good idea for Internet users to consider changing passwords at least at sites that they visited since this bug became public (Monday morning). But it’s important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords.
Help Net Security also offers the following similar advice:
If you are not sure whether an online service has moved to fix the hole, you can always check via one of several online checkers for the Heartbleed bug. Changing your password before a service has done the cleaning up is pointless – wait until they do.
It is also highly likely that a number of affected sites will notify users and urge them to change their passwords, while others may force users to do so. However, as phishers are almost certain to exploit the situation, this also requires a cautionary note: Do not click on links contained in any such emails, regardless. Access your account via the official log-in page by following a bookmark or entering the site’s URL in your browser’s address bar yourself, and then change the password.
I am certainly no security expert, far from it, this is just my take on the situation presented in layman’s terms after perusing multiple reports. I suggest you read through the following two articles posted by Brian Krebs (who is a security expert) on his KrebsOnSecurity blog:
Great advice, Jim!
I hope everyone listens to this,
Richard
If you have LastPass, LastPass can do a scan and tell you of possible affected sites and tell you if you should change your password now or later (depending on if the site has been updated yet)