What you need to do about Heartbleed
The Heartbleed bug has affected about two-thirds of the world's websites
Computerworld - The Heartbleed bug is big trouble and it's affected about two-thirds of the world's websites.
That means virtually everyone should be taking steps to protect themselves, starting first by updating passwords for important online sites.
See related story: Website admins will be busy dealing with Heartbleed
"It's like this is a huge Internet reset," said Steve Sundermeier, founder of Thirtyseven4.com, an Ohio-based security company. "It's pretty alarming. Users who thought they were doing the right thing now aren't secure. Everybody is kind of in the dark as to who actually was affected and vulnerable."
Security experts are still piecing together how much damage has been caused, or can be caused, by the Heartbleed flaw.
The vulnerability existed in OpenSSL, one of the Internet's most widely used encryption software packages, for about two years. It's not clear whether cyber criminals discovered the bug, which exposes users' most private, and trusted, communications - emails, banking transactions, credit card numbers and health records - to risk.
When users see the little padlock symbol in the corner of their screen, they generally think their communications are safe since they're generally protected by SSL encryption. But for the last two years, that wasn't the case.
Heartbleed, so named because it affects an SSL extension software programmers call Heartbeat, affects anywhere from half a million to a billion websites, depending on which security analyst you talk to. And it's not just websites that have been affected.
Steve Pate, chief architect with HyTrust Inc., a California-based security and compliance company, noted that the vulnerability also has affected a variety of devices, ranging from smartphones to home routers, tablets and laptops.
Many of those devices came installed with software that used the buggy Open SSL.
The biggest concern is not just that the bug is so widespread but that it affects the information users are most concerned about protecting.
"Open SSL is relied on by so many sites," said Chester Wisniewski, senior security advisor with Sophos, a security company based in the U.K. " It's what we rely upon for privacy and security, so it's the last thing you want to see made vulnerable. What does this affect? Everything. This is really messy."
Various tools have popped up to help people figure out whether their favorite online retailer, bank or social network is vulnerable, but they tend to only note if they're currently vulnerable. The tools do little to detail whether a site was vulnerable in the past.
If a site was vulnerable at any point, user names, passwords and other critical information may have been compromised.
Google, which owns the most-visited websites in the world, told Computerworld that it had been vulnerable, but its software has been patched and the sits are safe now.
A spokesman for Facebook, the world's largest social network with more than a billion users, also acknowledged that it was affected by the vulnerability, but has since fixed the problem. Yahoo, too, said its platform was vulnerable to Heartbleed but noted yesterday that it started workingto fix the problem as soon as it found out about it.
"We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely," the spokesman said. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."
- Why Open Source Software Isn't as Secure as You Think
- Heartbleed still matters, and we're all partly to blame
- The Next Heartbleed: 5 Security Vulnerabilities to Watch
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Rush to fight Heartbleed leads to errors with certificates and patches
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Kenneth van Wyk: Looking beyond Heartbleed
- Tip of the Hat: Heartbleed prompts chastened tech giants to fund OpenSSL
- Most but not all sites have fixed Heartbleed flaw
- 3 privacy violations you shouldn't worry about
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts