7 things you need to know about the massive web vulnerability known as Heartbleed

Security & Privacy, Threats & Hacks

1. What is Heartbleed?
SSL is the one of the most popular ways to encrypt data on the web. You see it on sites that use “https” with that little lock. The Heartbleed vulnerability in OpenSSL, the open source tool used by most sites that use SSL has existed for two years but it was just discovered on Monday.

“Researchers found that it’s possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information,” Vox‘s Timothy B. Lee reported. “Specifically, a vulnerable computer can be tricked into transmitting the contents of the server’s memory, known as RAM.” Here’s an update how we at F-Secure dealt with the vulnerability.

Late Friday night, a report suggested that the NSA has exploited the security hole for years. The U.S. government denies this.

2. Is it really that bad?
“‘Catastrophic’ is the right word,”wrote security expert Bruce Schneier, whom some have called the Chuck Norris of security. “On the scale of 1 to 10, this is an 11.”

 3. Which sites have been affected?
Facebook, Instagram, Pinterest, Tumblr, Gmail, Yahoo, Amazon Web Services (AWS), GitHub, Minecraft and thousands more. You can check if a site is vulnerable here.

4. What should I do now?
Mashable has a nice list of which passwords you should change now.

“Take care of the passwords that are very important to you,” our Chief Research Officer Mikko Hypponen told Newsweek. “Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely.”

There is some risk that if you change your password now it could leak, our Senior Researcher Timo Hirvonen told us. However, he says he would take that risk and change them now if the passwords that are vulnerable are being used in any other important accounts. And he’d change them again after the vulnerability has been fixed.

5. What’s the most crucial lesson of Heartbleed?
For web administrators, this is a perfect chance to update modern standards.

For everyone who uses the web, it’s a reminder of how important it is to use strong passwords that are specific to each account.

“You can argue both for and against changing the password now,” Timo notes. “The crucial thing is to use unique passwords for all your most important accounts.”

6. So do I really have to change all my passwords?
This sounds like a terrible pain in some section of your body you don’t want a pain, we know. A password manager makes it easy.

That’s why we created F-Secure KEY, which stores your passwords, user names and other credentials so that you can use them wherever you are. It has a secure password generator that helps to replace your passwords when they need to be changed.

Even though F-Secure Key servers were affected by the HeartBleed vulnerability, all data stored in Key was and is safe. User data can only be accessed on user’s device – not through the web.

7. Can you explain again how the Heartbleed bug works?
xkcd does a fine job here.

Cheers,

Jason

Tags

Rate this article

1 votes

0 Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like