- This topic is empty.
April 24, 2014 at 9:39 pm #8022AnonymousGuest
What is the Heartbleed bug?
The bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user's computer and a web server, a sort of secret handshake at the beginning of a secure conversation.
It was dubbed Heartbleed because it affects an extension to SSL (Secure Sockets Layer) which engineers dubbed Heartbeat.
It is one of the most widely used encryption tools on the internet, believed to be deployed by roughly two-thirds of all websites. If you see a little padlock symbol in your browser then it is likely that you are using SSL.
Half a million sites are thought to have been affected.
“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”
Do I need to change my passwords?
Some security experts are saying that it would be prudent to do so although there is a degree of confusion as to when and if this needs to be done.
Many of the large technology firms including Facebook and Google have patched the vulnerability.
Some point out that there will be plenty of smaller sites that haven't yet dealt with the issue and with these a password reset could do more harm than good, revealing both old and new passwords to any would-be attacker.
But now the bug is widely known even smaller sites will issue patches soon so most people should probably start thinking about resetting their passwords.
if you are worried about your credit cards, check your credit card bills very closely.”
How do I make sure my password is robust?
I think now is a good time to review your passwords.
We are advised to regularly change their passwords. Words that don't appear in a dictionary are preferable as is a mixture of words and numbers.
For people whose attitude to passwords is to reset them each time they visit a site because they have forgotten them, there is help on hand.
Tools are now widely available that will store and organise all your passwords and PIN codes for computers, apps and networks. They can also generate passwords and can automatically enter your username and password into forms on websites.
Such tools store your passwords in an encrypted file that is accessible only through the use of a master password. Examples of such services include KeePass, LastPass, Roboform & 1Password.
Some firms are starting to offer alternatives to passwords – finger-print readers
Which sites are affected?
There are half a million believed to be vulnerable so too many to list
The LastPass website has compiled a list as has new websiteMashable. Meanwhile security firm Kaspersky directs people to theHeartbleed test.
While Facebook and Google say that they have patched their services, according to the Kaspersky blog, there is a long list of sites that are still vulnerable, including Flickr, OkCupid and Github.
One of the biggest tech firms remaining on the vulnerable list was Yahoo but, as of last night, it too seemed to have remedied the problem saying it “had made the appropriate corrections across our entire platform”.
Lastpass Heatbleed checker
What is the worst-case scenario?
The bad news, is that “exploiting Heartbleed leaves no traces so there is no definitive way to tell if the server was hacked and what kind of data was stolen”.
Why has the problem only just come to light?
The bug was first spotted by Google Security and a Finnish security firm Codenomicon which said that it was introduced by a programming error.
Because OpenSSL is open source, researchers were able to study the code in detail which is why it was found in the first place.
But such code libraries are immensely complex so it can take some time for those who routinely examine the code to come across such problems.
“It was such an unexpected problem that it wasn't something that researchers would necessarily have been looking for.
Is the bug connected to revelations about US and UK government snooping?
There is no direct evidence although lots of speculation that there is a link after details emerged that the National Security Agency (NSA) explored ways to break encryption.
GCHQ simply said it had a “longstanding policy that we do not comment on intelligence matters”.
And many seemed to think that the problem was down to bad code rather than anything more sinister.
- You must be logged in to reply to this topic.