Catastrophic Security Flaw Impacts Millions of Sites
The Heartbleed Bug
An incredibly large number of websites, email servers and virtual private networks (VPNs) use security software called OpenSSL to shield communications between your computer and their servers. When you log in to Yahoo, for example, OpenSSL prevents an attacker from intercepting the transmitted data to capture your login and password. The OpenSSL software library is a major part of what keeps much of the world’s private data safe across the web — it’s the heart of online security, if you will.
Heartbleed is a major security hole in multiple versions of OpenSSL resulting in temporary information being stored in a site’s server memory after it has been unencrypted. That server memory can be read by anyone on the Internet. The bug lets attackers sneak a peek at your login credentials and also can give them the encryption key they need to unlock any other sensitive information being stored and transmitted. It can even give hackers the ability to impersonate websites in the future using those stolen encryption keys.
What about PC Pitstop?
We here at PC Pitstop have evaluated all of our servers and only 1 non-essential server (that does not transmit account data) required the OpenSSL patch.
At this time, we are not requiring or recommending passwords changes for PC Pitstop related accounts.
Lest readers think “catastrophic” is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet’s Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.
What’s going on? Should I panic? I should panic, right?!
It’s not time to panic. It’s just time to be vigilant – extra vigilant. By some estimates, this bug could affect around two-thirds of web servers and, as stated above, it could affect sites you log into — email, social networks, even a VPN you might use for work.
How can I stay protected?
The good news is that there is no evidence that hackers have used the Heartbleed exploit to steal data. That’s not to say an attack hasn’t happened, just that it would be very difficult to determine if one did. But you can bet the attacks will start ramping up now that the exploit is widely known.
Unfortunately, even the best anti-virus software won’t protect against Heartbleed. The only way to stay safe—for now—is to avoid sites that have yet to patch the OpenSSL Heartbleed bug. Hopefully, the browser developers will quickly create a feature that will flag you when visiting a site that is still vulnerable.
Once a site has been fixed, you should change your password as soon as possible. A password management program will help you create and manage unique passwords for every site.
Should I upgrade my Anti-Virus or something
The Heartbleed bug in OpenSSL does not have anything to do with your antivirus or firewall. This is not a client side issue so you can do little about it. On the other side, servers have to apply a patch to the OpenSSL system they are using. That done, the website can be said to be safer for interacting.
What you can do as a user is to reduce the number of visits to commerce and similar sites. It is not that the bug affects only the commerce sites. It is equal for all types of websites that use OpenSSL. I say avoid commerce sites for a while as they would be the major target for hackers who would want your card details etc. It means that the primary target of hackers would be e-commerce sites using OpenSSL.
Once you get a message/report that the bug is fixed, you can go ahead as you used to do before the bug was discovered. OpenSSL has created a patch and has released it for website owners to secure their users’ data. Until then, try to avoid sites where you have to give in your data in any form – even login credentials. I am sure almost all webmasters must be going in for the patch but there is still a problem. Once you are sure that there are no vulnerabilities or such vulnerabilities have been patched, it might be a good ide to change your passwords.
It’s probably premature for users to replace passwords across the board, but for sites they know have received the OpenSSL patch, it may be a good idea to change login credentials. People who are truly security conscious may want to change passwords a second time if they notice a patched site later updates its digital certificate.
In the meantime, readers should steer clear of Yahoo Mail and any other sites that are still running vulnerable versions of OpenSSL. The login credential you save may be your own.
April Security News is Serious
What’s the Real Story with The Heartbleed Security Hole?