The Heartbleed Bug
Some of you have heard about the Heartbleed Bug on Cable and Network news and if so, you should know, that sensationalism prevails again. It’s no wonder that so many computer users find it so difficult to find out the truth about anything. According to new sources the Heartbleed Bug is brand new and affects allmost everyone. Neither of those things are true. That’s not to say that the Heartbleed Bug isn’t dangerous, or that it isn’t a major problem. It is. It affects or has affected 56% of all secure sites (sites whose URLs begin with https:// )
But the facts are facts and it seems our friendly cable and network news people are more interested in sensationalizing a very important story, but chosing to leave out a number of mitigating factors that show that while the Heartbleed Bug affected 56% of all secured sites — most of them were patched quietly some time ago., there are millions of others who were not and are not affected. Most of the sites you use where confidential information is exchanged or where you may store or access confidential information are safe and are not affected (but at one time may have been affected) by the Heartbleed Bug. But there is one site, one we have specifically warned you about many times, that was affected, and it was affected until this week. The site’s name? Yahoo.
For years now, we have urged you not to use Yahoo Mail or other Yahoo services. Why? Because, over time, we have noticed that 90% of the time when we received spam or infected emails from someone, it’s from a hacked Yahoo account. Additional, TC has a good friend who has a Yahoo acccount, and even though he was using stong passwords, both of his accounts were hacked. (He moved to Gmail two years ago, and has not had any problems since.)
Most of the sites you’re using, including Gmail and other Google services, Twitter, Instagram, Pinterest, YouTube, and others, were affected by the Heartbleed Bug but have been patched. These sites and companies took your privacy and their reputations seriously and took the steps necessary to prevent any intrusions allowed by exploitation of the Heartbleed Bug. That being said, if you have accounts with these companies, you should, as a precaution, change your password. Facebook’s situation regarding the Heartbleed bug is unclear. But Yahoo didn’t patch their servers until publicity forced them too. We don’t think this is the end of the problems for Yahoo and we urge anyone with Yahoo account, especially a Yahoo Mail account to switch to Gmail or Outlook.com immediately. Short of that, if you insist on continuing to use Yahoo, change you password frequently, at least once per month.
According to Mashable…
“A big cause for concern is related to sites that have your sensitive information, such as Yahoo and OKCupid (most people aren’t logging into NASA.gov with private data). Both companies have since issued a patch to fix the security hole, so users with accounts with those companies — including Yahoo Mail, Flickr and so on — should update their passwords immediately.
It’s important to wait to get the “all clear” sign from a company or service before changing, especially now that this bug is out in the open. Changing a password before the bug is fully patched wont’ make things any better… Facebook and Twitter use OpenSSL web servers, though it’s still unclear whether or not they were vulnerable to the issue. Facebook reportedly issued a security patch, as did Google.
Other websites that have issued an OpenSSL software security update include WordPress, Amazon Web Services and Akamai.
Some websites not considered vulnerable include AOL, Foursquare and Evernote, among others.
(Read more here http://mashable.com/2014/04/09/heartbleed-what-to-do/ )
LastPass has set up a site checker where you can check sites by entering a URL to see if their servers have been patched or not. It might be a good idea to check your banking sites and any other sites you use which require you to log in. Visit this page to check the sites you visit to see if they’ve been patched against the Heartbleed Bug
“LastPass Now Checks If Your Sites Are Affected by Heartbleed
Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed .
To help our users take action and protect themselves in the wake of Heartbleed, we’ve added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.
The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.
In the Security Check results, we alert you to sites affected by Heartbleed:..” …” (Read more at http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html )
And because we think it’s very important for you to know the facts, not the sensationalism, we urge you to read up on the Heartbleed Bug. Here is more about from www.heartbleed.com :
The Heartbleed Bug
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
What leaks in practice?
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
How to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
(Read more at www.heartbleed.com .)