There’s a new bug to be on the lookout for and it carries more of a bite than mosquitoes, ticks, wasps or spiders. The effects of this bug’s silent sting can expose all of your personal data without you even being aware of it. It’s called the “Heartbleed Bug” and it has the potential to affect two-thirds of websites.
A small group of security engineers from Codenomicon and Google Security first discovered the Heartbleed Bug more than two years ago and reports say millions of websites have been affected by it. The group realized that people buying products online by entering credit card numbers, addresses, etc., could have their data stolen without a trace; some would call it “the perfect crime.” Indian engineers aptly described the bug as “highly severe.”
Much of Sun Tsu’s “Art of War” is about knowing your enemy as well as you know yourself, exploiting the enemy’s weaknesses, using deception and striking with speed and preparation to make opponents conform to your will. Given that the virus is rather old, it is hard to comprehend how it is still wreaking havoc; perhaps its another case of too many moving targets to keep track of, an obvious weakness in this day of overwhelming stimulation. Some have suggested the National Security Agency (NSA) knew about the virus and exploited it to collect information on people it is tracking (all of us).
Software Hackers Work on the Same Principles
And so it is with the Heartbleed Bug, which exploits a flaw (weakness) in OpenSSL encryption software used by most major websites. You might recall a small padlock symbol that designates OpenSSL’s presence on a website.
Basically, as a transaction takes place and credit card details and security codes are transmitted, a Web server sends the data to other computers in the network to complete the transaction. The virus inserts a fake “packet of data” which fools the computer into releasing data stored in its memory.
The virus has recently received major media attention due to Yahoo’s discovery that the virus had stolen passwords and other personal information from its servers. You may have noticed emails from various account providers warning you to change your passwords. Updating your passwords will only work if your provider has updated to the latest version of OpenSSL, which is impervious to the Heartbleed Bug.
Industry analysts believe the current “black box” approach to Internet security with its proprietary software approach, benefits corporations in the security business and hackers while leaving computer manufacturers and their customers “in a pickle.”
The Heartbleed Test
Security engineers have come up with software to test for the bug called “The Heart Bleed Test.” Until we know the Heartbleed Bug has truly been exterminated, you can test specific sites on an individual basis. CNET has also compiled a list of the top 100 sites with an update on each one’s patch status or if it was vulnerable at all.
Some Sites Recommending You Change Your Password
Note that the following list is incomplete and is meant to give you an idea of the extent of the problem. Categories to pay attention to are:
- Social Networks
- Major Corporations
- Stores & Commerce
- Video, Photo, Game & Entertainment Sites
- Banks & Brokerage Firms
- Government & Tax Agencies
- Password Managers
Here is a partial list of companies who have made statements indicating you should change your password(s):
- Facebook – “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to … set up a unique password.”
- Instragram – “Our security teams worked quickly on a fix and we have no evidence of any accounts being harmed. But because this event impacted many services across the web, we recommend you update your password on Instagram and other sites, particularly if you use the same password on multiple sites.”
- Pinterest – “We fixed the issue on Pinterest.com, and didn’t find any evidence of mischief. To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords.”
- Google – “We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not.”
- Yahoo – “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.” Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches remain.”
- Flickr – “As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.”
- Netflix – “Like many companies, we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact. It’s a good practice to change passwords from time to time, now would be a good time to think about doing so. “
- Box – “We’re currently working with our customers to proactively reset passwords and are also reissuing new SSL certificates for added protection.”
- Dropbox – “We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.”
- GitHub – “All users should change passwords, enable two-factor authentication and “revoke and recreate personal access and application tokens.”
- IFTTT – “All users have been emailed and asked to change their passwords. Old passwords will not work.”
- OKCupid – “We, like most of the Internet, were stunned that such a serious bug has existed for so long and was so widespread.”
Again, this is a partial list intended to show how widespread the virus is. If you are trying to decide whether or not to change your passwords, consider the following: If you just discovered someone had stolen the keys to your house and car, what would you do? What if someone had stolen your wallet with all the information in it?