Thursday, April 10, 2014

Information Security: Heartbleed Bug

The Heartbleed Bug

The heartbleed bug is the latest security exploit that affects OpenSSL. It is officially named "CVE-2014-0160". It affects many websites that run OpenSSL, it exploits a weakness in cryptographic software library. SSL/TLS provides communication and security privacy for common web communication applications such as web, email, instant messaging and some virtual private networks. The heatbleed bug essentially allows anyone on the internet to read the memory of systems protected by vulnerable versions of OpenSSL software. This compromises the secret keys and usernames and passwords, and access to actual content. This allows attackers to eavesdrop on communications, steal data directly, and impersonate users and accounts. The attack allows a remote attacker to read up to 64kBytes of system memory from your system per attack attempt. The attack works against servers as well as clients.

 Note: You should change passwords only at sites that have patched for the security flaw, sites that have not patched yet, do not change the password, because if you change the password before a patch, the attacker may have access to your new password.

The following websites have patched their security flaws, and you should change the passwords right away:

Change these passwords now (they were patched)

  • Google, YouTube and Gmail
  • Facebook
  • Yahoo, Yahoo Mail, Tumblr, Flickr
  • OKCupid
  • Wikipedia
Don't worry about these (they don't use the affected software, or ran a different version):

  • Amazon
  • AOL and Mapquest
  • Bank of America
  • Capital One bank
  • Charles Schwab
  • Chase bank
  • Citibank
  • E*Trade
  • Fidelity
  • HSBC bank
  • LinkedIn
  • Microsoft, Hotmail and Outlook
  • PayPal
  • PNC bank
  • Scottrade
  • TD Ameritrade
  • Twitter
  • U.S. Bank
  • Wells Fargo
Don't change these passwords yet (still unclear, no response)

  • American Express
  • Apple, iCloud and iTunes

No comments:

Post a Comment