Heartbleed: Is It Time To Panic?
Posted on Apr 10, 2014
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
Ouch!! A bleeding heart? “Heartbleed” Are you at risk?
This is serious. Really serious? Or is it? Apparently the new Heartbleed vulnerability has already put at risk a lot of internet users. It was found in OpenSSL, a popular, open-source protocol used to encrypt vast portions of the web. The vulnerability potentially allows attackers to steal the data from web applications, e-mail communications, instant messaging and some virtual private networks. In other words, it can compromise secret keys used to encrypt web traffic, allowing attackers to steal communications or impersonate other users.
What should you do?
Actually, nothing much! Most enterprise class systems (including our own Aqilla which we regularly test for such things) are already protected.
The vulnerability can only exploit to derive information from memory NOT from underlying database information so you’d have to be pretty unfortunate to have any data held in an unsecure state to be at risk. We’d recommend you be patient and wait a couple of days until the hype is over.
However if paranoia is your thing then you might want to follow Tor’s advice "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle."
Over the next couple of days many websites will be taking steps to make them even more secure. If you are using one of these websites (for example as advised by Tumblr.com earlier today) then it might be a good thing to change your password.
To Yahoo! or not to Yahoo?
Yahoo! was discovered to be just one amongst the millions of originally vulnerable to the problem, as Ronald Prins from security firm Fox-IT tweeted yesterday: “We were able to scrape a Yahoo username & password via the Heartbleed bug”. Sounds bad? Well maybe not quite so. Yahoo! have already confirmed that all of their applications including the Yahoo! Homepage, Yahoo! Search, Yahoo! Mail, Yahoo! Finance, Yahoo! Sports, Yahoo! Food, Yahoo! Tech, Flickr, and Tumblr have all had the requisite fix applied to counter the vulnerability and so are not in danger anymore.
(To put it into context this author has used the same Yahoo! password for nigh on 15 years and had never been compromised, receives no spam and in general sees it as one of the best and most secure web mail systems available today. This is pretty impressive by any standard. Just don’t click on anything you don’t recognise or looks potentially unsafe.)
comments powered by Disqus
Here you can see our most recent resources, select items of interest using the categories below.