The heartbleed bug is the latest security exploit that affects OpenSSL. It is officially named "CVE-2014-0160". It affects many websites that run OpenSSL, it exploits a weakness in cryptographic software library. SSL/TLS provides communication and security privacy for common web communication applications such as web, email, instant messaging and some virtual private networks. The heatbleed bug essentially allows anyone on the internet to read the memory of systems protected by vulnerable versions of OpenSSL software. This compromises the secret keys and usernames and passwords, and access to actual content. This allows attackers to eavesdrop on communications, steal data directly, and impersonate users and accounts. The attack allows a remote attacker to read up to 64kBytes of system memory from your system per attack attempt. The attack works against servers as well as clients.
Note: You should change passwords only at sites that have patched for the security flaw, sites that have not patched yet, do not change the password, because if you change the password before a patch, the attacker may have access to your new password.
The following websites have patched their security flaws, and you should change the passwords right away:
Change these passwords now (they were patched)
- Google, YouTube and Gmail
- Yahoo, Yahoo Mail, Tumblr, Flickr
- OKCupid
- Wikipedia
- Amazon
- AOL and Mapquest
- Bank of America
- Capital One bank
- Charles Schwab
- Chase bank
- Citibank
- E*Trade
- Fidelity
- HSBC bank
- Microsoft, Hotmail and Outlook
- PayPal
- PNC bank
- Scottrade
- TD Ameritrade
- U.S. Bank
- Wells Fargo
- American Express
- Apple, iCloud and iTunes
- What is the Heartbleed Bug?
- Change these passwords now
- Sample list of vulnerable sites
- Fix for Heartbleed Bug
No comments:
Post a Comment