What is Heartbleed???
Heartbleed is a Security bug in the open-source OpenSSL cryptographic library, widely used to implement the internet's Transport Layer Security (TLS) protocol. It provides a way to test and keep alive secure communication links without the need to restart the connection each time. It was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66% of all active Internet sites. The bug, which lets hackers silently extract data from computers’ memory, and a fix for it were announced simultaneously..
What is at stake?
Millions of passwords, credit card numbers and other personal information may be at risk as a result of major breakdown in Internet Security revealed earlier this week, called the Heartbleed Bug.The damage caused by the bug is currently unknown, But the security hole exists on a vast number of the Internet's web servers and went undetected for more than two years. Even The National Security Agency (NSA) was not aware of the recently identified vulnerability in the OpenSSL, the so called Heartbleed Vulnerability, until it was made public in a private-sector cybersecurity report. Millions of smartphones and tablets running Google Inc.’s Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Web and into consumer devices. All versions of android except the version dubbed 4.1.1 are immune to flaw. Hackers could crack email systems, security firewalls and possibly mobile phones through the "Heartbleed" computer bug, according to security experts who warned on Thursday that the risks extended beyond just Internet Web servers.
What to do?
What to do?
Be aware that your sensitive data such as passwords may have been seen by a third party if the sites you visit used a vulnerable version of the OpenSSL library.
• Monitor any notices from the vendors or companies you use. Once a vendor has communicated to you to change your passwords, do so promptly.Be aware that your sensitive data such as passwords may have been seen by a third party if the sites you visit used a vulnerable version of the OpenSSL library.
• Watch out for potential phishing emails from attackers asking you to update your password. To avoid going to an impersonated website, stick with the official site domain.
• Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability.
• Monitor your bank and credit card statements to check for any unusual transactions
• Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
• After moving to a fixed version of OpenSSL, if you believe your web server certificates may have been compromised or stolen as a result of exploitation, contact the certificate authority for a replacement
• Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.
List of susceptible sites..
Name Vulnerable? Patched? Change password?
Amazon No No Need Only if shared with vulnerable service
Amazon Yes Yes Yes
Web Services
Apple No No Need Not Clear
Barclays No No Only if shared with vulnerable service
eBay No No Need Only if shared with vulnerable service
Evernote No No Need Only if shared with vulnerable service
Facebook Yes Yes Yes
Google/Gmail Yes Yes Yes
HSBC Yes No Need Only if shared with vulnerable service
LinkedIn No No Need Only if shared with vulnerable service
Lloyds No No Need No
Microsoft/
Hotmail/ No No Need Only if shared with vulnerable service
Outlook/
PayPal No No Need Only if shared with vulnerable service
RBS/Natwest No No Need Only if shared with vulnerable service
Santander No No Need Only if shared with vulnerable service
Tumblr Yes Yes Yes
Twitter No No Need Only if shared with vulnerable service
Yahoo/
Yahoo Mail Yes Yes Yes
Comments
Post a Comment