Over the last few days, one of the world’s worst computer security issues has come to light – a bug in the open-version of the technology that encrypts and verifies websites. Whether it is your online banking or webmail, the vulnerability has been shown to allow hackers to read and view any information sent using this technology – including your password!
Up to two-thirds of the worlds web sites that use “https://” – a technology known as SSL (often symbolised with that little padlock) – are using a product called “openSSL” and are at risk unless they have been patched (a fix) or a workaround applied. The issue also effects many other secure systems like SSL based VPN and instant messengers.
Using the discovered vulnerability, hackers can retrieve ANY information in plain text that is being exchanged between the web browser and the server by requesting chunks of the server memory, one chunk at a time.
Credit card numbers, expiry dates, names, addresses, phone, email, passwords etc. are all vulnerable.
Major sites affected included Yahoo mail, Tumblr, Flickr, Evernote & Eventbrite.
The issue has occurred because of a simple but only recently discovered bug in the “heartbeat” technology used between the web browser and server. The heartbeat is designed to tell the server the client is still connected and the “Heartbleed” bug, as it’s now named, has got security experts and corporations scrabbling to secure their servers either with patches or workarounds.
What can you do? Well, I’d probably advise that you don’t panic for starters but I would still recommend some action.
If you use secure online services such as banking or government sites and also USE THE SAME PASSWORD elsewhere, change the passwords for these services immediately. Check out my “Password Perfect” article for some ideas. Don’t use the same password at multiple sites, because if it’s compromised, the hacker has access to many other sites. Don’t change the passwords for less important sites for a while yet – they may not have been patched and if the site is being monitored, changing your password could simply give a hacker your new password and lure you into a false sense of security.
Next, check whether some of your regularly used sites have been fixed yet. There are some good and bad testers out there, but we like this one: http://filippo.io/Heartbleed. Remember that even if the site is NOW patched, details could have bled out BEFORE it was fixed. Once you know a site is safe, reset that password.
Consider changing your password for email. Even if you never use a web browser to pick up email, any mail system that uses the vulnerable versions of openSSL product is at risk and the communication between your email program (e.g. Outlook) and your ISP may have been exposed.