Issue 176 - April, 2014 (2nd Edition) - Page 7
Heartbleed Bug - Users Warned to Change All Passwords
Circulating messages warn users about a serious security flaw called 'Heartbleed' that could expose passwords and other sensitive information.
© Depositphotos.com/ filmstroemstock
The information in the warnings is valid. A vulnerability found in OpenSSL encryption software could allow criminals to gain access to sensitive data including login details. A new version of OpenSSL has been released that closes the security hole. Some security experts are advising people to change all of their passwords as soon as possible, and this advice is worth heeding. However, it should be noted that, until the fixed Open SSL has actually been implemented, any new passwords set by users may still be exposed.
Various social media messages and online reports are warning users about a major security bug called 'Heartbleed'. The messages warn that a flaw in the OpenSSL cryptographic software library means that attackers could access user login details, financial information and other sensitive data. Many of the warnings urge users to change all of their passwords as quickly as possible.
The information in the warnings is true. Security experts recently discovered a significant flaw in OpenSLL
that could indeed expose the sensitive data of Internt users.
Information about Heartbleed published by security management firm Codenomicon notes
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
A fixed version of OpenSSL has now been released and is ready to be deployed. It is now up to the vendors who use OpenSSL to implement the new version. Until vendors deploy the fixed Open SSL, the data of people who use connected services will still be vulnerable to attack.
Many security commentators are advising users to change all of their passwords immediately. As a precautionary measure, this advice is worth heeding. If the vendor that a website users has already deployed the fixed OpenSSL, then changing your password for that website should thwart attackers who may have harvested your information previously. If a vendor has not yet implemented the fix, changing your passwords now should stop any attackers from immediately accessing your accounts.
However, it is important to note that, until the fix is deployed, your new password will also be vulnerable. Thus, if you change your password for an account now and then subsequently learn that the service provider has just deployed the fix, it may be wise to change your password again.
At this point, it is unclear if the vulnerability has actually been abused 'in the wild' and, if so, how much data has been compromised. Dr Steven Murdoch, a University of Cambridge computer security expert notes in a BBC article:
'I think there is a low to medium risk that any given password has been compromised,'
'It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.
Nevertheless, this is a significant security threat and all Internet users would be wise to make themselves aware of the issue and carefully follow any advice given by their service providers.
The security community has acted quickly to mitigate the threat and hopefully all affected vendors will implement the fixed OpenSSL as quickly as possible.
For accurate and detailed information about Heartbleed, refer to the Heartbleed Bug website
created by Codenomicon.
Last updated: April 10, 2014
First published: April 10, 2014
Written by Brett M. Christensen
Pages in this issue:
- SCAM - 'Mermaid Found Inside Shark Video'
- HOAX - '15 foot Eastern Brown Snake Found Near Caloundra Golf Course'
- Facebook Limiting Posts Warning - 'This is a Test'
- SCAM -'R.I.P. Dwayne Johnson' - The Rock is NOT Dead
- NONSENSE - 'All Americans Microchipped by 2017'
- SCAM - 'Devil's Pool Fall Epic Selfie Video'
- Heartbleed Bug - Users Warned to Change All Passwords
- HOAX - 'Justin Bieber Admits To Being Bi-Sexual'
- PHISHING SCAM - 'Click to Read Vital Newsletter'
- RingCentral 'New Fax Message' Malware Email
- LIKE-FARMING SCAM - 'Wife Pregnant for 13 Months Needs Prayers'
- 'New Voicemail' Pharmacy Spam Email
- HOAX: '2 Suns In The Sky On April 21st - Star Meccyroid'
- Facebook Promotion, Lottery and Award Scams
- April Fools Joke - 'United States to Ban Raw Meat Sales'
- iTunes Purchase Receipt Phishing Scam
- Dwayne Johnson is NOT Dead
- Nails in Cheese Dog Park Warning Message
- Product Order Request Money Laundering Emails
- Capitec 'Routine Maintenance' Phishing Scam
- MALWARE - 'Confidential - ALL Employees Important Document'
- SCAM - 'Flight MH370 Found in Indian Ocean Shocking Video'
- Lamborghini Giveaway Facebook Like-Farming Scam
- Barclays 'Detected Irregular Activity' Phishing Scam
- MALWARE - 'Traffic Accident With Your Car' Email
- HOAX - 'British Scientists Clone Dinosaur'
- Facebook Sick Child Hoax - 'Help Boy with Massive Tumour by Liking, Sharing and Commenting'