Alert: The Heartbleed Server Software Security Flaw & Why You Should Take Notice

heartbleedThis week news broke out about a security bug that affects website server encryption, called the “Heartbleed Bug”.

In simple terms, this software bug makes what was thought to be secure and private data viewable to hackers. Data such as passwords, credit card numbers, bank info, etc….

hb2

Basically any info you’ve entered online on an affected site could fall into the hands of those exploiting this bug.

The icon showing a secure page:https

Wasn’t necessarily secure.

The bad news is many companies were vulnerable to this bug since most use the same type of security software that has the versions with the bug. This includes Google, Yahoo, Facebook, banks, email, etc… Basically any site where you saw the “secure” lock sign above where you were entering private data.

The worse news is that this “bug” has been out there for over two years, so while all the sites are working on fixing the issue and removing the bug (Google, Yahoo, and Facebook state they’ve removed the bug), any private data you’ve entered during the last two years could have been compromised.

 

Defense:

Here’s a couple of sites that you can use to check if a site is still affected by the heartbleed bug:

1) http://filippo.io/Heartbleed/

2) https://www.ssllabs.com/ssltest/index.html

You can use those sites as a check before entering any personal data on a site.

Once you confirm the site you use is safe, you should change your passwords. Note the situation is pretty fluid now and all sites are rushing to fix the flaw, but may still be vulnerable, so you might want to double check with particular sites directly to confirm they are safe for your most vital accounts, like your banking/financial/medical account sites.

Also plan on changing all your passwords starting with the most important ones once you confirm sites are safe. Remember to confirm first so you don’t wind up using site that still has the bug which defeats the purpose.

Keep an eye out for any suspect activity on any of your online accounts.

 

More detailed info:

1) http://heartbleed.com/

2) http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/

 

Yahoo made news when they were discovered to have the flaw:

http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/

 

And the answer to the question that I’m sure you have or will eventually have:

 

Why it is called the Heartbleed Bug?

Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

 

 

 

Advertisements

3 thoughts on “Alert: The Heartbleed Server Software Security Flaw & Why You Should Take Notice

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s