The Heartbleed Bug - What You Need to Know

Security researchers have recently discovered a serious bug, nicknamed Heartbleed,  that affects nearly two-thirds of all websites and could be one of the biggest security threats ever seen on the Internet. If you have logged into any of the affected sites over the past two years, your account information could be compromised, allowing cybercriminals to snap up your credit card information or steal your passwords.

Heartbleed is not a virus. Running virus-detections software on your computer will not help eliminate this threat. Heartbleed is a programming mistake in the OpenSSL library used by around two-thirds of web servers. Back in later 2011 and early 2012, developers created an add-on for OpenSSL called the “heartbeat extension.” Unfortunately, there was a bug in it that allowed hackers snoop on Internet traffic and encrypted information on any site running OpenSSL. If you see “https” in the address bar of a site you’re on, there’s a good chance that the site is using OpenSSL.

The good news: an updated version of OpenSSL that fixes the problem has been released, but it's up to the individual website administrators to put it into place. Many previously identified as vulnerable sites like Yahoo, Twitter, Tumblr and DropBox have already been fixed. A spokesperson for Yahoo Inc confirmed that Yahoo Mail was vulnerable to attack, but said it had been patched along with other Yahoo sites such as Yahoo Search, Finance, Sports, Flickr and Tumblr.

Is there anything we can do to protect ourselves from Heartbleed? The unfortunate answer is “not much”.You can’t avoid every site that has the problem, and even if you did, the bug has been around since 2011.

Ultimately, you will need to change your passwords, but that won't do any good until the sites you use adopt the fixed version of Open SSL. If the bug hasn’t been fixed on those sites, changing your old password to a new password would just result in your new password being susceptible. If you know that a particular site has been fixed, then you should change your password to be on the safe side. Mashable has a full chart that they are maintaining and updating with more site names, whether there is a patch, whether you need to change your password, and the statement the site has issued regarding the situation. Go to http://on.mash.to/PTgjhh.

One other thing you should do is watch closely for signs of criminals using your information fraudulently. Keep a very close eye on your bank statements and credit reports and watch out for phishing email that tries to trick you into giving up more information.

** Note:  The IRS released a statement on Wednesday saying that it's not affected by the bug or aware of any related security flaws. It advised taxpayers to continue filing their returns online as they normally would in advance of the April 15 deadline.

For more detailed information on the Heartbleed bug, check out these sites:

http://mashable.com/2014/04/09/heartbleed-what-to-do/

http://www.nydailynews.com/news/world/heartbleed-bug-article-1.1751982

http://heartbleed.com/

http://nakedsecurity.sophos.com/2014/04/08/anatomy-of-a-data-leak-bug-openssl-heartbleed/

http://bit.ly/1ko1AbR

General Tags: