Heartbleed Bug: Things To Know
The week of April 7, 2014, it was discovered that there was a very serious vulnerability on the internet. On a scale of 1-10, one security thought leader put the seriousness of the bug at an 11. Over half a million sites were vulnerable to this bug including many major websites such as Google, Facebook, Amazon, Yahoo, banking sites, etc.
Technically speaking a bug was found in SSL, which is used to secure internet traffic (HTTPS). The vulnerability allows attackers to get data that is being processed on the website at that time. Username, passwords, email address, social security numbers, bank information and etc. are all things that can be collected using this vulnerability. This comic has a pretty good visual explanation of the vulnerability.
This bug, only recently discovered by security researchers, has been around for two years. What that means is that we don’t know who knew about the bug and who didn’t, so we have to assume that all account information and other information on these affected websites have been compromised. Mashable has a list of sites that have been found to be affected by this bug.
Now that this bug is out in the open, it is being exploited by attackers. It is imperative that you change passwords on affected websites, and if the option is available I would highly recommend turning on two-factor authentication. However, before you do you need to make sure that the vulnerability has been fixed by the website; otherwise you’ll just compromise your new password immediately. I would recommend LastPass’ Heartbleed checker, because it tells you whether the website was previously vulnerable and if it’s vulnerable now. Here is a list of other sites to check the vulnerability of websites with.
· http://filippo.io/Heartbleed/
· http://heartbleed.criticalwatch.com/
· https://lastpass.com/heartbleed/
· https://www.ssllabs.com/ssltest/
Other Suggested Readings:
http://bhconsulting.ie/securitywatch/?p=2103
http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work
This post first appeared on Exploring Information Security.