Acorn Newsbot
Junior Member
- Joined
- Jan 28, 2006
- Posts
- 22,584
- Reaction score
- 77
Security experts this week have discovered that a bug in the software used by millions of websites across the world could have exposed users to spying and online eavesdropping.
The Heartbleed Bug, so called because it exploits an extension called ‘heartbeat’, is present in software that is used in operating systems, servers, instant messaging and email. Called OpenSSL, the software is supposed to protect sensitive data as it is transmitted.
Experts from the net monitoring firm Netcraft, estimate that about 500,000 of the web’s secure servers are running versions of the vulnerable software. It is thought that the bug has been present in versions of OpenSSL that have been available for over two years. Only the latest version, released on 7th April, is immune to the bug. Unfortunately, installing this updated version does not guarantee that people are safe from attacks, as cybercriminals may have already stolen passwords, encryption keys, or other credentials enabling them to access a server.*
The researchers stated, “Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously”.
Who are the affected sites?
Some commonly used sites that may be vulnerable include:
- Imgur
- Flickr
- OKCupid
- Lloyds TSB
- Nationwide
- Santander
Some experts have recommended that people take immediate steps to protect themselves by changing all of their online passwords, including those for social networks, online banking, ecommerce sites, and more.
This is advice that has been repeated by many large companies, including affected ones such as Tumblr, which released a message saying: “"This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug”.
However, this is not necessarily the best course of action. Mark Schloesser, a security researcher with Rapid7, said that doing so “could even increase the chance of somebody getting the new password through the vulnerability”. This is because logging into an insecure server to change your password could then reveal both your old and your new passwords to a hacker.*
Additionally, he states that there is an estimate that “the larger providers (will) all get patched within the next 24-48 hours” (Thursday to Friday afternoon). Once this time period has passed, he says “I would agree that people should change their credentials when a provider has updated their OpenSSL versions”.*
Staying Safe
As such, we would recommend avoiding logging into any affected website until you are sure that the company has patched the problem, and then changing your passwords. For advice on choosing a strong password, check out Knowthenet’s password section.
To check if a website is still vulnerable to the Heartbleed bug, you can you this online tool, created by developer Filippo Valsorda.
Image from Wikimedia Commons
*
More...
