Catastrophic Security Flaw Impacts Millions of Sites


Catastrophic Security Flaw Impacts Millions of Sites

The Heartbleed Bug
An incredibly large number of websites, email servers and virtual private networks (VPNs) use security software called OpenSSL to shield communications between your computer and their servers. When you log in to Yahoo, for example, OpenSSL prevents an attacker from intercepting the transmitted data to capture your login and password. The OpenSSL software library is a major part of what keeps much of the world’s private data safe across the web — it’s the heart of online security, if you will.

Heartbleed is a major security hole in multiple versions of OpenSSL resulting in temporary information being stored in a site’s server memory after it has been unencrypted. That server memory can be read by anyone on the Internet. The bug lets attackers sneak a peek at your login credentials and also can give them the encryption key they need to unlock any other sensitive information being stored and transmitted. It can even give hackers the ability to impersonate websites in the future using those stolen encryption keys.
http://www.techlicious.com/blog/heartbleed-security-bug-may-be-worst-ever/

List of websites allegedly affected by the Heartbleed Bug

What about PC Pitstop?

We here at PC Pitstop have evaluated all of our servers and only 1 non-essential server (that does not transmit account data) required the OpenSSL patch.

At this time, we are not requiring or recommending passwords changes for PC Pitstop related accounts.

Lest readers think “catastrophic” is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet’s Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.
http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/

What’s going on? Should I panic? I should panic, right?!

It’s not time to panic. It’s just time to be vigilant – extra vigilant. By some estimates, this bug could affect around two-thirds of web servers and, as stated above, it could affect sites you log into — email, social networks, even a VPN you might use for work.
http://time.com/55337/how-to-protect-yourself-against-the-heartbleed-bug/

How can I stay protected?
The good news is that there is no evidence that hackers have used the Heartbleed exploit to steal data. That’s not to say an attack hasn’t happened, just that it would be very difficult to determine if one did. But you can bet the attacks will start ramping up now that the exploit is widely known.

Unfortunately, even the best anti-virus software won’t protect against Heartbleed. The only way to stay safe—for now—is to avoid sites that have yet to patch the OpenSSL Heartbleed bug. Hopefully, the browser developers will quickly create a feature that will flag you when visiting a site that is still vulnerable.

Once a site has been fixed, you should change your password as soon as possible. A password management program will help you create and manage unique passwords for every site.
http://www.techlicious.com/blog/heartbleed-security-bug-may-be-worst-ever/

Should I upgrade my Anti-Virus or something

The Heartbleed bug in OpenSSL does not have anything to do with your antivirus or firewall. This is not a client side issue so you can do little about it. On the other side, servers have to apply a patch to the OpenSSL system they are using. That done, the website can be said to be safer for interacting.

What you can do as a user is to reduce the number of visits to commerce and similar sites. It is not that the bug affects only the commerce sites. It is equal for all types of websites that use OpenSSL. I say avoid commerce sites for a while as they would be the major target for hackers who would want your card details etc. It means that the primary target of hackers would be e-commerce sites using OpenSSL.

Once you get a message/report that the bug is fixed, you can go ahead as you used to do before the bug was discovered. OpenSSL has created a patch and has released it for website owners to secure their users’ data. Until then, try to avoid sites where you have to give in your data in any form – even login credentials. I am sure almost all webmasters must be going in for the patch but there is still a problem. Once you are sure that there are no vulnerabilities or such vulnerabilities have been patched, it might be a good ide to change your passwords.
http://www.thewindowsclub.com/heart-bleed-bug

It’s probably premature for users to replace passwords across the board, but for sites they know have received the OpenSSL patch, it may be a good idea to change login credentials. People who are truly security conscious may want to change passwords a second time if they notice a patched site later updates its digital certificate.

In the meantime, readers should steer clear of Yahoo Mail and any other sites that are still running vulnerable versions of OpenSSL. The login credential you save may be your own.

http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/

April Security News is Serious
http://billpstudios.blogspot.com/2014/04/april-security-news-is-serious.html

What’s the Real Story with The Heartbleed Security Hole?
http://www.askdavetaylor.com/whats-real-story-heartbleed-security-hole/

(Visited 13 times, 1 visits today)

14 thoughts on “Catastrophic Security Flaw Impacts Millions of Sites

  1. How can you tell when a website has patched it,like yahoo mail. That is what I have been useing for years.

  2. This is a wake up call for all the complacent, apathetic and blasé computer users who think the internet is safe to use. Maleficent hackers are rife on the internet developing even more clever and pernicious and infectious viruses, malware, spyware, key-loggers and alike, not to mention the phishers – who all exploit loopholes in operating system security, security software houses and alike, who spuriously believe their systems robust and impregnable: HOW WRONG THEY ALL ARE !!!

    • @Phil:

      We can confirm that all PC Pitstop servers have been been evaluated for Heartbleed related vulnerabilities and any necessary patches are now complete.

  3. Er…the headline is Catastrophic Security Flaw yet the List of websites allegedly affected page only contains a short list of sites which were affected but have been since patched and a long list of sites which are NOT affected! How does that help anyone? What was needed was a list of popular sites that ARE affected….

    • @Sheri: While an exact count is impossible to determine, an estimated 500k sites were affected by this security hole. And those sites that are patched were still vulnerable in the past, meaning your data could have been compromised. So you need take action to change your passwords on those sites that are patched and avoid logging in to unpatched sites until they are patched. Of course if you’re like the majority of people who share passwords across sites, you should change passwords even on sites listed as not affected, because that password may have been compromised elsewhere.

  4. Chromebleed reports that this domain techtalk.pcpitstop.com is vulnerable to the Heartbleed SSL bug. Talk about irony.

    • @Paul:

      We can confirm that all PC Pitstop servers have been been evaluated for Heartbleed related vulnerabilities and any necessary patches are now complete.

    • @Tom A. Funke:
      Don’t update passwords until the site concerned has been patched, or you’ll just be increasing the chance of your username/password combination being in the 64k of memory that can be grabbed by anyone maliciously exploiting the bug.
      Once the site has been patched, THAT is the time to change your credentials. Certainly not before.

Leave a Reply

Your email address will not be published. Required fields are marked *