Does the Heartbleed Bug Mean You Should Stay Off the Internet? Here are seven things you should know. —By Dana Liebelson

Rss     Subscribe     Share     Tweet    

0 Points


Apr 11 14 1:31 PM

Tags : : , , , , , , ,

Mother Jones - POLITICS

Does the Heartbleed Bug Mean You Should Stay Off the Internet?

Here are seven things you should know.

| Wed Apr. 9, 2014 2:01 PM PDT

On Tuesday, news broke that the safeguard many websites use to protect sensitive information on the internet has had a major security flaw for about two years. These sites use a security system called OpenSSL to encrypt data like content, passwords, and Social Security numbers. But thanks to a small coding error in a popular version of OpenSSL, nicknamed "Heartbleed," hackers can potentially steal sensitive data from vulnerable websites. Richard Bejtlich, chief security strategist at FireEye, a network security company, notes that there's no evidence that malicious hackers have exploited the flaw yet. But the secrecy-minded Tor Project, which enables anonymous internet browsing, nevertheless recommended on Monday that, "If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle." Here are seven reasons why you might want to stop looking at cat videos right now:

1. Lots of popular websites have the security problem.

According to the New York Times, up to two-thirds of sites on the internet rely on OpenSSL. A user on Github, an open-source coding site, compiled a list of sites that were allegedly vulnerable after a test was conducted on Tuesday. The Github list included Yahoo, Flickr, OkCupid, and Eventbrite, among dozens of other companies. (Some may have since updated their security.) Facebook and Google both released statements confirming they are not affected by the flaw. If you'd like to test a specific site to see whether it's could be exploited—although this doesn't meant that it has—go here.

2. Your most sensitive personal information is at risk.

When websites use SSL, that's a good thing. The security layer is deployed during sensitive transactions to protect data like bank details, social security numbers, and passwords. Runa Sandvik, a staff technologist at the Center for Democracy and Technology (CDT), says that she's heard, "this is even worse than if SSL wasn't used at all, because it's used to protect sensitive information. A site that isn't protected at all, you might not submit sensitive information there in the first place." The good news is, some security researchers are reporting that hackers may not be able to get the private keys to an entire website's content. The bad news is, the flaw is still "a great way to steal passwords from recent logins" according to researchers at Errata Security.

3. Canada is freaking out.

The Canada Revenue Agency announced on Wednesday that it is temporarily shutting down its online services as a result of the Heartbleed bug. The moves come mere weeks before Canadians are expected to file their taxes. The U.S. Internal Revenue Service said in astatement Wednesday that its website has not been affected by the bug.

4. Right now, hackers are racing to get at that information.

"With these things, you can practically hear the shotgun go off. We're in a race now between the attackers and the defenders, to see how quickly attackers can build viable attacks, and how quickly the defenders can put out their defenses," says Christopher Budd, a spokesperson for Trend Micro, a Japanese security software company. He notes that while exploiting the vulnerability right now is fairly difficult, as hackers share information, people could build tool kits and it will become significantly easier.

5. You won't necessarily know if your information has been hacked.

“It’s a serious bug in that it doesn’t leave any trace,” David Chartier, chief executive at Codenomicon, told the New York Times. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”

6. It won't be easy for websites to fix the problem.

Budd says fixing the problem is "simple, but not easy." While there is a fixed OpenSSL versionthat websites can download, it can take time to roll out the new program across a website's entire infrastructure. Budd notes that companies will have to weigh the risk of an attack against the potential that the entire website might come crashing down if a new coding error is introduced. That might dissuade companies from acting quickly. Additionally, after a website installs the new "fix," it needs to update its SSL certificate, a process that can take a little time. Jeremy Gillula, staff technologist at the Electronic Frontier Foundation, notes that even if a website has downloaded the fix, if it hasn't updated its certificates, it "could still be subject to a man-in-the-middle-attack on its users."

7. Changing your passwords right away isn't necessarily going to help you.

After news of Heartbleed broke, you probably got a lot emails from people telling you to change your passwords. Not so fast, experts say. If you change your password prior to a site getting rid of the bad SSL, your new password could be just as vulnerable as your old one. Sandvik from CDT says, "I'm in the same situation as everyone else. I would look for statements issued by companies before logging in, and if there is no statement, contact them and ask them. Also test their website." Budd advises, "This is one of those situations where the best thing people can do is stick to best practices, don't panic, and wait to hear information from people to know what's going on. If you get instructions, follow them."

Or you know, go read a book.

"I would no more be a Master than a slave. It does not conform to my idea of Democracy." Abraham Lincoln 1856.

Quote    Reply   

#1 [url]

Apr 12 14 10:01 PM

Some good info.....


Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen.

As sites fix the bug on their end, it's time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private -- email, banking, shopping, and passwords.

Don't change all your passwords yet, though. If a company hasn't yet updated its site, you still can't connect safely. A new password would be compromised too.

Many companies are not informing their customers of the danger -- or asking them to update their log-in credentials. So, here's a handy password list. It'll be updated as companies respond to CNN's questions.

Change these passwords now (they were patched)

  • Airbnb
  • Google, YouTube and Gmail
  • Facebook
  • Yahoo, Yahoo Mail, Tumblr, Flickr
  • OKCupid
  • Pinterest
  • Wikipedia

Don't worry about these (they don't use the affected software, or ran a different version)

  • Amazon
  • Apple, iCloud and iTunes
  • AOL and Mapquest
  • Bank of America
  • BECU
  • Capital One bank
  • Charles Schwab
  • Chase bank
  • Citibank
  • E*Trade
  • Fidelity
  • (Health Department said "security protections prevent this vulnerability from occurring.")
  • HSBC bank
  • Hulu
  • LinkedIn
  • Microsoft, Hotmail and Outlook
  • PayPal
  • PNC bank
  • Scottrade
  • TD Ameritrade
  • Twitter
  • U.S. Bank
  • Vanguard
  • Wells Fargo

Don't change these passwords yet (still unclear, no response)

  • American Express

 To top of page

The only thing necessary for the triumph of for good men to do nothing
Edmund Burke(1729-1797)
Irish Philosopher,statesman

�With integrity, nothing else counts. Without integrity, nothing else counts.�

We can't solve problems by using the same kind of thinking we used when we created them. � Albert Einstein.

"To see what is right, and not to do it, is want of courage or of principle."


Quote    Reply   

#2 [url]

Apr 12 14 10:22 PM

So who knows what we are doing?

NSA knew about Heartbleed for two years - Bloomberg

The critical “Heartbleed” bug reported earlier this week to have affected the security of most of the internet was discovered by researchers at the United States National Security Agency two years earlier, according to a new report.

On Friday afternoon, Bloomberg News journalist Michael Riley reported that the NSA knew about the monstrous flaw for at least two years ahead of this week’s announcement, but kept it hidden from technologists and instead exploited it to hack the computers and correspondence of certain intelligence targets.

Earlier in the week, the open-source OpenSSL internet security project issued an emergency advisory after discovery of the Heartbleed bug revealed a weakness that may have for years allowed hackers to access online information otherwise thought to be protected by the SSL/TLS encryption standard used by around two-thirds of the web.

But according to sources that Riley says are familiar with the matter, the NSA kept details of the bug a secret shortly after first discovering it in early 2012 so that it could be added to the agency’s toolbox of exploits and hacks.

The agency found the Heartbeat glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” Riley wrote.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost,” he added. “Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.”

Shortly after Bloomberg published their report, agency spokeswoman Vanee Vines told the National Journal that the NSA "was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report."

"Reports that say otherwise are wrong," she said, dismissing Riley's report.

In December, a five-person review group handpicked by US President Barack Obama to reassess the NSA’s intelligence gathering abilities said that the government must not stockpile details about any so-called “zero day” vulnerabilities, or flaws unknown to computer programs who have thus had “zero days” to patch them.

In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the group told the president. “Eliminating the vulnerabilities — “patching” them — strengthens the security of US Government, critical infrastructure, and other computer systems.”

We recommend that, when an urgent and significant national security priority can be addressed by the use of a Zero Day, an agency of the US Government may be authorized to use temporarily a Zero Day instead of immediately fixing the underlying vulnerability.”

Pres. Obama has since asked Congress to adhere to one of that group’s recommendations — halting the government’s bulk collection of telephony metadata — but has not publically spoken of zero days before or after this week’s discovery of Heartbleed.

Previously, however, journalists and privacy advocates working with the trove of classified NSA documents disclosed last year by former contractor Edward Snowden said that the secretive intelligence agency had been undermining the very security of the internet by exploiting other flaws to hack targets.

At a security conference in December, expert Jacob Appelbaum from Germany’s Der Spiegel magazine said that the NSA had acquired the means to compromise any Apple iPhone in the world and occasionally relied on a number of high-tech tools and implants to hack targets.

Basically the NSA, they want to be able to spy on you. And if they have ten different options for spying on you that you know about, they have 13 ways of doing it and they do all 13. So that’s a pretty scary thing,”said Appelbaum, who previously spoke on behalf of WikiLeaks at a US conference and is a core member of the Tor anonymity project.

And since June, NSA leaks disclosed by Mr. Snowden have shown that the NSA has done everything from physically tapping into fiber optic undersea internet cables to get further access to the world’s communications, to tricking the systems administrators of private companies into installing malware that would open up their machines to American spies.

The only thing necessary for the triumph of for good men to do nothing
Edmund Burke(1729-1797)
Irish Philosopher,statesman

�With integrity, nothing else counts. Without integrity, nothing else counts.�

We can't solve problems by using the same kind of thinking we used when we created them. � Albert Einstein.

"To see what is right, and not to do it, is want of courage or of principle."


Quote    Reply   
Add Reply

Quick Reply

bbcode help