By now you have read about the socalled Heartbleed bug which causes significant vulnerability to a number of websites and if infected can let attackers gain access to your password and trick you into using false websites.
The known affected sites include Yahoo, Google, Facebook, Netflix and Tumblr which have announced that the problem on their sites has been fixed, but users should change their passwords. In is yet to be known whether personal data is in any way compromised.
To understand the size of the potential problem
it is one that could affect all websites using something called OpenSSL, and that is widely used. What is more the problem has been known since the release of OpenSSL version 1.0.1 back in March, 2012 though it had been there since 2011, but not exposed, so it not exactly new and the way attackers can access sensitive data is by reading the memory of the web server used for the website. The data in question could be the server’s private master key which would then enable the attackers to break the encryption of the server and allow the hijackers to steal the identity of users of that service.
There is about half a million secure web servers that potentially could be vulnerable to attack, and there are at this stage thousands of websites who have yet to fix the problem on their sites or publicise that fact, perhaps not terribly helpful to their users.
Yahoo is so far the only one that we know of to have told their users to change their password, but security experts are advising people using Gmail, YouTube, Facebook, Dropbox or Tumblr to also change passwords.
Although these sites have been patched the sites themselves have not told users to change, and given the scale of the problem they could be expected to do more.
As you see there is some confusion between what the companies suggest and what the security experts advise, and in fairness the changing of log-in details may not boost security at all and can be counterproductive because if the site is vulnerable it is still open to attack, and if that is the case a change of password merely gives the attacker your new password as well.
For that reason if the website you wish to visit and log in to has not stated that it is safe and the security flaw is fixed you should assume that the site is still vulnerable. Consequently change your password only on sites declared safe.
STATEMENTS FROM SITES
Google: Search, Gmail, YouTube, Wallet and the Play store were affected, but the Chrome browser and Chrome OS were not.
Google said it identified and solved the problem across its affected services, and is advising users they don’t need to change their passwords. However, security experts are advising they should anyway, just in case.
Facebook: In a statement, the firm said: ‘We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity.’
It is encouraging users ‘to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites.’
Yahoo: Site has fixed the problem and is urging customers to change their passwords.
Tumblr: Owned by Yahoo, the blogging site was affected, but claimed it has spotted no evidence the breach affected its accounts.
Amazon Web Services (used by websites): Advisory note said ‘most services were unaffected or Amazon was already able to apply mitigations’ meaning passwords should be changed just in case.
Netflix: Statement said ‘we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact.’
Dropbox: The site tweeted it has patched all of its user-facing services and will continue to work to ‘make sure your stuff is always safe’.
Instagram: Site runs on the nginx server, which uses OpenSSL software, and its SSL certificate was last valid three years ago meaning LastPass has flagged it as a potential risk and the company is working on a fix.
Twitter: Site confirmed its websites weren’t affected and details weren’t exposed, so is safe.
PayPal: In a statement, the site said PayPal is secure. Your PayPal account details were not exposed in the past and remain secure. You do not need to take any additional action to safeguard your information and there is no need to change your password.
Ebay: As its payments are handled predominantly through PayPal, Ebay transactions were not affected.
Microsoft accounts, Hotmail and Outlook and Bing: Microsoft services don’t use OpenSSL so were unaffected.
Finally, LastPass.com [unaffected] has a checker for the Heartbleed bug, if you enter the website name you wish to use on their checker it will check the site’s secure encryption certificate date and when last regenerated, it will warn you if the server is at risk or reveal the unaffected websites and those which have updated their certificates.
If you need help remember Kapiti SeniorNet is there to help its members, just pen us a line or join the crowd at the Q&A sessions.
Happy and safe computing.