Wednesday 9 April 2014

Change All Your Passwords: "Heartbleed" Bug Threatens Your Internet Safety

TechCrunch and other sources are confirming the severity of the OpenSSL bug known as "Heartbleed" that threatens to compromise internet users' safety.  All internet users are encouraged to change all of their existing passwords to protect their most sensitive information.

Codenomicon, a security company out of Finland, tested this potential vulnerability and advised that internet users take immediate action.  According to their analysis, up to 66% of the market share could be affected with open source web servers like Apache and nginx particularly vulnerable to the Heartbleed bug.

What should you do immediately?

Changing your passwords is inconvenient but easy; encourage those in your life who might not understand this threat as well to follow suit.  We would encourage our readers to share this and other stories about Heartbleed to help get the word out as soon as possible through social media and personal contact.  Like all issues related to internet privacy, the goal here is to protect as many people as possible, even if others don't fully understand what all is at stake.  If you are not going to change all of your passwords, consider changing at least your main/most sensitive online accounts (e.g. bank accounts, e-mail accounts, etc.).

Wait, what exactly is Heartbleed?

For the more tech-savvy:
Codenomicon provides a detailed (and more technical) explanation of Heartbleed's origin and potential threat at heartbleed.com:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
For the less tech-savvy:
For users looking for a less technical summary of this bug, Tumblr issued a statement to their users (who might be exposed), which provided a concise breakdown of the threat and actions to take.

A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.
But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.
This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.
Users who are less tech-savvy might also find the BBC's coverage of the bug helpful.

What can you do to help others?

We also encourage our readers to comment on this blog post, tweet at our Twitter handle (@SumRando), or comment on our Facebook posts if they have additional information to share.  We thank all of you in advance for your intel on this critical matter.

No comments:

Post a Comment