A major vulnerability was discovered Monday in Internet security. It has been described as a bug with “epic repercussions” [E] It can allow virtually any information entered into a secure website to be made available to an attacker. The vulnerability is found in OpenSSL which is used on roughly 2/3 of all websites.
A) Not been compromised in the first place You should change all your passwords (and not reuse any of them on multiple sites).
Once you've confirmed that your bank, credit card, social network and other sites have either:
B) Have patched the bug
As of the evening of 08 April 2014, vulnerable websites included Yahoo, Flickr, Tumblr and many other top sites. Here’s a list of of sites that were still vulnerable yesterday, but note that just because a site was not vulnerable this week, does not mean information was not compromised. This vulnerability has existed for around two years and exploitation leaves no trace – making it possible that websites have been leaking sensitive data for moths or years without raising any red flags. [A]
A) Not been compromised in the first place
You should change all your passwords (and not reuse any of them on multiple sites).
Techlicious states that it is “not clear, and probably never will be, which sites were actually subject to malicious activities and what data was stolen. Nor is easy for the average Internet user to determine which sites were even vulnerable in the first place. This puts us in the unfortunate position of recommending that you change all of your passwords for every website, but that you only do it for a given site once it’s gotten a security upgrade to prevent future snooping. Sounds like a massive, complicated undertaking? It is. But that is a reflection of how serious this threat is.” [C]
By exploiting this vulnerability “attackers could decrypt traffic to and from the server; impersonate the server so that users who think they’re visiting a given website are actually visiting a fraudulent site disguised as the correct one; or decrypt the server’s databases, including their users’ personal information, such as usernames, passwords, email addresses, payment information and more.” [A]
You may not want to change your passwords just yet. “If a website hasn’t [fixed the problem] then a new password would be just as compromised as an old one.” [A] The New York Times “ Bits” blog echoes this recommendation, “Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue.” [B]
It has been suggested by some authors that Internet users take a few days away from the net while server administrators patch the issues, but ICSI security researcher Nicholas Weaver says that approach may not be sufficient. In the case of a compromise server, it likely their private keys were compromised as well. This would allow attackers continued access even after the patch is applied unless security certificates are revoked and reissued. The Verge reports that “Servers can reset their certificates, but it’s slow and expensive, and experts suspect many of them may simply assume the patch is enough. “I bet that there will be a lot of vulnerable servers a year from now,” Weaver says. “This won’t get fixed.” ” [D]
While the scope of this issue is currently unknown, Yahoo Tech recommends that “because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised. ” [A]
Even if you do not care if your Flickr or Tumblr account data is compromised, be aware that that data from one site can be used to access other sites. For instance, if you use the same passwords on multiple accounts, one compromised account can allow an attacker to access sites you do care about (i.e. banking and email). If an attacker gains access to your email account, it is often possible to reset all of your passwords (including financial institutions). The attacker would then have full access to all your important accounts and personal information. Since it is unknown which sites were subject to a data breech, reseting all passwords is the only safe solution.
Sources & Further Reading
[A] Yahoo Tech – 08 Apr 2014: Here’s What You Need to Know About the ‘Heartbleed’ Bug That’s Attacking Millions of Websites – by Jill Scharr
[B] NY Times Bits – 08 April 2014: Experts Find a Door Ajar in an Internet Security Method Thought Safe – by Nicole Perlroth
[C] Techlicious – 08 April 2014: Heartbleed Security Bug May be Worst Ever – by Fox Van Allen
[D] The Verge – 08 April 2014: Why Heartbleed is the most dangerous security flaw on the web – By Russell Brandom
[E] Krebs on Security – 08 April 2014:‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys