What You Should Know About
THE HEARTBLEED BUG!!!
An
encryption flaw called the Heartbleed bug that
has exposed a collection of popular websites — from Airbnb and Yahoo to NASA
and OKCupid — could be one of the biggest security threats the Internet has
ever seen. If you have logged into any of the affected sites over the past two
years, your account information could be compromised, allowing cybercriminals
to snap up your credit card information or steal your passwords.
You're
likely either affected directly or indirectly by the bug, which was found by a
member of Google's
security team and a software firm named Codenomicon.
The bad news: There's not a lot you can do about it now.
It's the responsibility of Internet companies to update their servers to deal
with Heartbleed, and once they do, you can take action (see below).
The issue involves network software called OpenSSL, which is an
open-source set of libraries for encrypting online services.
Secure websites — with “https” in
the URL ("s" stands for secure) — make up 56% of websites, and nearly
half of those sites were vulnerable to the bug. In theory, a cybercriminal
could have exploited Heartbleed by making network requests that could piece
together your sensitive data.
The good news: There isn't any
indication that a hacker caught wind of this; it seems the researchers were the
first to locate the problem.
But the scary part is that attackers could have infiltrated
these websites, extracted the information they wanted and left no trace of
their presence. Thus, it's hard to determine whether someone ever exploited the
bug, or if your account information was compromised.
What to do about it...
First,
check which sites you use are affected. If you don't want to read through the long list of websites with the
security flaw, the password security firm
LastPass has set up a Heartbleed Checker,
which lets you enter the URL of any website to check its vulnerability to the
bug and if the site has issued a patch.
Next, change your passwords for major accounts — email, banking
and social media logins — on sites that were affected by Heartbleed but patched
the problem. However, if the site or service hasn't patched the flaw yet,
there's no point to changing your password. Instead, ask the company when it
expects to push out a fix to deal with Heartbleed.
A big cause for concern is related to sites that have your
sensitive information, such as Yahoo and OKCupid (most people aren't logging
into NASA.gov with private data). Both companies have since issued a patch to
fix the security hole, so users with accounts with those companies — including
Yahoo Mail, Flickr and so on — should update their passwords immediately.
Facebook
and Twitter use OpenSSL web servers, though it's still unclear whether or not
they were vulnerable to the issue. Facebook reportedly issued a security patch
last week.
Other websites that have issued an OpenSSL software security
update include WordPress, Amazon Web Services and Akamai. Some websites not considered vulnerable include Google, Tumblr,
Foursquare and Evernote, among others.
"It's a big deal for Internet users, but especially when it
comes to protecting financial information," Joe Siegrist, CEO and
cofounder of LastPass, told Mashable. "Some financial organizations are using more conservative
web security choices like Microsoft, which is not vulnerable to the bug, so
users should check and see if their bank has been affected."
Make sure to keep an eye on sensitive online accounts,
especially banking and email, for suspicious activity for the next week or so.
"Mashable." Mashable. N.p., n.d. Web. 09 Apr. 2014.
No comments:
Post a Comment