Author Topic: Have you read about Heartbleed? the biggest security threats the Internet has ev  (Read 2972 times)

kerouac_zoso

  • Hero Member
  • *****
  • Posts: 2736
Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday

The bug was reportedly discovered by a member of Google's security team and a software security firm called Codenomicon. A number of other websites, according to a list making the rounds on GitHub, may be vulnerable to the bug as well.

The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.

And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.

A security patch for the bug was announced on Monday, but many websites are still playing catch up. That's why websites like the Tor Project are — in a somewhat tongue-in-cheek way — only advising that you stay off the Internet this week if you really care about your security.

One of the messages on the Heartbleed homepage, a site created to address the bug, states:[/font][/size][size=1.5rem][The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused.


So far, some of the services and websites that have confirmed an OpenSSL software security update include WordPress, Amazon Web Services, Akamai and others.
On the GitHub list, some of the websites deemed "not vulnerable" to the Heartbleed bug include Google, FourSquare, Evernote and many others.

Another helpful site called the Heartbleed Checker, launched by LastPass, allows you to enter the URL of any website to check its vulnerability to the bug.


3 things you can do to protect yourselfWait for an official announcement from any secure website or service that you normally use regarding a security update.


-After you've confirmed that the site or service has installed a security update, change your passwords
-For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity.
- In the meantime, while websites are installing the latest version of OpenSSL to fix the bug, it would be a good idea to wait for confirmed updates on your favorite websites and services and then change your password, just to be as safe as possible.

The Heartbleed Hit List: The Passwords You Need to Change Right Now
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/


How to Protect Yourself From the Heartbleed Bug
http://mashable.com/2014/04/09/heartbleed-what-to-do/
rise and rise again until lambs become lions

celeste

  • Global Moderator
  • *****
  • Posts: 120854
I've heard something about advising people to change their passwords, but not after the problem has been solved
All that's necessary for the triumph of evil is for good men to do nothing

Cupcake

  • Hero Member
  • *****
  • Posts: 7823
Yeah, the experts can't agree.  Some say change all your passwords immediately and others say that's the worst possible move as you might expose both old and new passwords to hackers.  Nobody can tell whether servers have been hacked this way, cos it leaves no trace, so perhaps nobody has been hacked at all.......   ???   I think I'm going to wait until something actually happens.
It's nice to be important, but it's also important to be nice.

kerouac_zoso

  • Hero Member
  • *****
  • Posts: 2736
Oh yes Cupcake, you are right.

it depends on the singular website. Infact if website didnt update the "open ssl" and you change password you will solve "nothing".

but there is a list of website where you have to change password right now, they are the most important website:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/


 :)

I hope that i was "understandable" :P

rise and rise again until lambs become lions

Cupcake

  • Hero Member
  • *****
  • Posts: 7823
Very helpful indeed, KZ, thanks for the link.  Having read that, I don't need to change any passwords at all anyway.  Shows the benefits of not being socially connected, streaming anything or generally using anything only invented in the last five years!  The Luddites are immune.... ;D ;D ;D 
It's nice to be important, but it's also important to be nice.

kerouac_zoso

  • Hero Member
  • *****
  • Posts: 2736
lol Cupacake. You are welcome.

:)
rise and rise again until lambs become lions

mel the bell

  • Sr. Member
  • ****
  • Posts: 375
Yeah, the experts can't agree.  Some say change all your passwords immediately and others say that's the worst possible move as you might expose both old and new passwords to hackers.  Nobody can tell whether servers have been hacked this way, cos it leaves no trace, so perhaps nobody has been hacked at all.......   ???   I think I'm going to wait until something actually happens.
thats what i think
IF you change your passwords before the sites been patched then the bugs still there and they can attack again and grab your new password too Oo
You sir, are a buffoon

Cupcake

  • Hero Member
  • *****
  • Posts: 7823
Not heard anything more about Heartbleed, but now they are wittering abut a new one that's going to start emptying bank accounts of 15000 people in the UK who have computers infected with specific malware.  Apparently, that's 2 weeks away.  It's getting a bit like the nutters in the street with placards predicting the end of the world next Tuesday afternoon..... ;D
It's nice to be important, but it's also important to be nice.

mel the bell

  • Sr. Member
  • ****
  • Posts: 375
Not heard anything more about Heartbleed, but now they are wittering abut a new one that's going to start emptying bank accounts of 15000 people in the UK who have computers infected with specific malware.  Apparently, that's 2 weeks away.  It's getting a bit like the nutters in the street with placards predicting the end of the world next Tuesday afternoon..... ;D
yeah its how the media work, they latch onto something and sensationalise it, theres also news of more linux based viruses too, for years its been said that linux is virtually 100% safe from viruses
You sir, are a buffoon

mel the bell

  • Sr. Member
  • ****
  • Posts: 375
just to worry everybody again theyve now found more bugs / exploits in the ssl software
http://www.bbc.co.uk/news/technology-27732266
You sir, are a buffoon