What you need to do about Heartbleed
The Heartbleed bug has affected about two-thirds of the world's websites
Computerworld - The Heartbleed bug is big trouble and it's affected about two-thirds of the world's websites.
That means virtually everyone should be taking steps to protect themselves, starting first by updating passwords for important online sites.
See related story: Website admins will be busy dealing with Heartbleed
"It's like this is a huge Internet reset," said Steve Sundermeier, founder of Thirtyseven4.com, an Ohio-based security company. "It's pretty alarming. Users who thought they were doing the right thing now aren't secure. Everybody is kind of in the dark as to who actually was affected and vulnerable."
Security experts are still piecing together how much damage has been caused, or can be caused, by the Heartbleed flaw.
The vulnerability existed in OpenSSL, one of the Internet's most widely used encryption software packages, for about two years. It's not clear whether cyber criminals discovered the bug, which exposes users' most private, and trusted, communications - emails, banking transactions, credit card numbers and health records - to risk.
When users see the little padlock symbol in the corner of their screen, they generally think their communications are safe since they're generally protected by SSL encryption. But for the last two years, that wasn't the case.
Heartbleed, so named because it affects an SSL extension software programmers call Heartbeat, affects anywhere from half a million to a billion websites, depending on which security analyst you talk to. And it's not just websites that have been affected.
Steve Pate, chief architect with HyTrust Inc., a California-based security and compliance company, noted that the vulnerability also has affected a variety of devices, ranging from smartphones to home routers, tablets and laptops.
Many of those devices came installed with software that used the buggy Open SSL.
The biggest concern is not just that the bug is so widespread but that it affects the information users are most concerned about protecting.
"Open SSL is relied on by so many sites," said Chester Wisniewski, senior security advisor with Sophos, a security company based in the U.K. " It's what we rely upon for privacy and security, so it's the last thing you want to see made vulnerable. What does this affect? Everything. This is really messy."
Various tools have popped up to help people figure out whether their favorite online retailer, bank or social network is vulnerable, but they tend to only note if they're currently vulnerable. The tools do little to detail whether a site was vulnerable in the past.
If a site was vulnerable at any point, user names, passwords and other critical information may have been compromised.
Google, which owns the most-visited websites in the world, told Computerworld that it had been vulnerable, but its software has been patched and the sits are safe now.
A spokesman for Facebook, the world's largest social network with more than a billion users, also acknowledged that it was affected by the vulnerability, but has since fixed the problem. Yahoo, too, said its platform was vulnerable to Heartbleed but noted yesterday that it started workingto fix the problem as soon as it found out about it.
"We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed, and we're continuing to monitor the situation closely," the spokesman said. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites."
- Why Open Source Software Isn't as Secure as You Think
- Heartbleed still matters, and we're all partly to blame
- The Next Heartbleed: 5 Security Vulnerabilities to Watch
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Rush to fight Heartbleed leads to errors with certificates and patches
- Security Manager's Journal: With Heartbleed, suddenly the world is paying attention to security
- Kenneth van Wyk: Looking beyond Heartbleed
- Tip of the Hat: Heartbleed prompts chastened tech giants to fund OpenSSL
- Most but not all sites have fixed Heartbleed flaw
- 3 privacy violations you shouldn't worry about
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!