Heartbleed – what is it?

April 11, 2014 at 11:16 am | Posted in Economoney, Internet, Media, Online services, Security, Software, Web Apps | 7 Comments

When you log into a secure web site and get “https” and a lock symbol, what you transmit is secure, right? Maybe. About 2/3’s of the web uses OpenSSL and its recently been discovered it’s had a bug for about 2 years.

“Heartbleed has the potential to be one of the biggest, most widespread vulnerabilities in the history of the modern web.”

Security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

While there is a fix and it’s unlikely this was discovered and exploited in the past, the issue now is with sites that don’t have decent maintenance and don’t get updated. Now that the bug is known, some old site you used once long ago may now be insecure. If you have the habit of using the same password all over or using your social media (Facebook, Twitter, etc) logins on other sites, you may have unwittingly shared your access all over. Including to sites that are now secure.

Changing your password on such old sites won’t help in the slightest, contrary to some of the advice floating around. It’s only a useful exercise if you know the site has updated. But you can on sites that are fixed. All the major ones apparently have but there are millions of servers out there.

And the trick is, even server admins may never know they’ve been hacked with this one.

This article explains: Heartbleed Nightmare

You can check a site you use here

This is a great reason not to use the same password on multiple sites and may be a great time to implement a password manager like LastPass, if you have not already.

Not only did Monday bring Heartbleed but there was a security update for WordPress on Tuesday and another for Jetpack on Wednesday. The second 2 are things bloggers should update now. The first you want to be sure your web host has. You really don’t want your ecommerce offerings to go nasty on you.
David

UPDATE – see comments for more links. It’s also become apparent it exists in many security devices.

7 Comments »

RSS feed for comments on this post. TrackBack URI

As a bonus, if you’re a user of LastPass, their security check will now warn you of sites in your password list that have not updated after the bug. See Tools, Security Check. Watch for the grey box.

Box.com is one it flagged.

LikeLike

Comment by David B— April 11, 2014 #

Reply
Here’s their blog post about it:
http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

LikeLike

Comment by David B— April 11, 2014 #

Reply
And LastPass explains why, even though they had the bug, it did not affect the security of your passwords – they never had the keys.
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

LikeLike

Comment by David B— April 11, 2014 #

Reply
Mashable has published a list of the main sites you need to update your passwords for:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

LikeLike

Comment by David B— April 11, 2014 #

Reply
Another good summary article:
http://just-ask-kim.com/taking-the-confusion-out-of-the-heartbleed-vulnerability/

LikeLike

Comment by David— April 12, 2014 #

Reply
In case you thought Heartbleed was much ado about nothing, there has already been attacks. The Canadian government had to shut down accepting electronic tax filing for almost a week and has announced it lost about 900 SINs. (SSN) The only reason they even know that is because of their extra security.

Mumsnet was also hacked but they have no way of knowing to what degree. They know because the hackers told them, and used the founders ID to post online.

LikeLike

Comment by David— April 14, 2014 #

Reply
Since the web site issue has eased, it’s become apparent many security devices like Firewalls and Routers may also have the problem. As that requires checking and manually updating,its likely to be a longer term issue.
http://www.wired.com/2014/04/heartbleed_embedded/

LikeLike

Comment by David B— April 29, 2014 #

Reply

For Now