0

Protecting Yourself From The Heartbleed Bug

Protecting Yourself From The Heartbleed Bug

In a recent post on Cyber Security News, we provided information on the heartbleed vulnerability discovered in OpenSSL cryptographic library. Since then, the heartbleed bug has been all over the news, with system admins having near heart attacks at the sight of the word. The news has scared users into changing their passwords and system admins updating their systems frantically. But what is the heartbleed bug? How do I protect myself from the heartbleed bug? And who has been hit by the heartbleed bug?

What is the heartbleed bug and who does it affect?

In recent statistics released by Netcraft, it has been revealed that over half a million web services online are susceptible to the hearbleed bug, regardless of the encryption controls used on these sites. The heartbleed bug exploits the heartbeat extension in the popular SSL cryoptographic library OpenSSL, more details can be found in our article heartbleed vulnerability discovered in OpenSSL cryptographic library. According to NetCraft’s statistics, over 17% of SSL websites across the world have the heartbeat extension enabled – resulting in over half a million certificates vulnerable to spoofing. In short, this means that the attacker can spoof themselves as legitimate to affected websites without any warnings issued by the browser.

Since the disclosure over this vulnerability, many infamous websites and services have been identified as being affected. For example, Yahoo! is severely vulnerable to the heartbleed bug – providing services to over 800 million users. While Yahoo! has patched this vulnerablity, it is evident from the screenshot below that the search engine giants have been vulnerable to user credentials being harvested by attackers.

heartbleed bug yahoo

Yahoo! were vulnerable to the heartbleed bug before updating their systems

The heartbleed bug has affected many sites with millions of users – with sites such as Mumsnet and the Canadian Tax Authority falling victim in the last week. Other sites that utilise the heartbeat extension include social networking sites such as Twitter and Facebook as well as banking sites such as the Bank of America. Many of these sites have now patched the heartbleed vulnerability, however, others remain vulnerable

What steps should I take to protect myself from the heartbleed bug?

There are steps you can take to remain dilligent while websites and online services patch the heartbleed vulnerability. Firstly, you should check whether websites you regularly use are vulnerable to the heartbleed bug. Websites such as http://filippo.io/Heartbleed/ will present a red flag for those sites that are still vulnerable and these sites should be avoided until the exploit is mitigated.

Further scanners include LastPass, a web app that provides details on the encryption used by websites – including encryption types and update points. This will allow you to assess the encryption strength of a given site and determine whether it is suitable to protect your data or not. Provensec also provide a scanner that is available at http://provensec.com/heartbleed/. Finally, if you are using Google Chrome as your web browser then Chromebleed, an extension created by security researchers, is worth installing.

In addition to conducting due dilligence on the sites and services you use, it is also worth changing your credentials of sites that are affected by the vulnerability. You will need to ensure that when the site or service you use updates to the latest heartbleed extension that you change your password to ensure you are protected. As always, it is highly recommended that you use separate passwords for different sites to prevent an exploit one – exploit all scenario, where the attacker captures a single credential and uses these across multiple platforms.

Finally, it is highly recommended to protect yourself from the heartbleed bug that you update your system that utilises OpenSSL to the latest version, OpenSSL 1.0.1g to prevent the vulnerability being exploitable.

The heartbleed bug is a genuine threat to anyone worldwide that uses a website or online service to process their data. Not only can your usernames and passwords be compromised, but those using banking sites could find their sensitive banking information stolen if they do not take appropriate steps. While system admins at each of the websites across the world update their OpenSSL library, the users still need to take active steps to change their passwords and ensure that sites they use are not vulnerable to the heartbleed bug.

Filed in: News Tags: , , ,

Get Updates

Share This Post

Related Posts

Leave a Reply

Submit Comment

© 2017 Cyber Security News. All rights reserved.