The “superbug” in OpenSSL named “Heartbleed” is all over the news these days and is causing some confusion and concern for many people. This hole in the SSL encryption was discovered in the start of this week by Google and Code Nomicon, and the hole is a serious one. The problem is, what do you do with this? Here is a very simple simple guide to what I suggest you should do.
1. Verify that your account is now patched from the vulnerability. To do this check your provider (bank, facebook, google or other) with one of the open tools to verify. One such tool is: http://filippo.io/Heartbleed/ Just enter the URL (like accounts.google.com or any other web page) and if the tools says “All good” then you are OK to proceed and change your password. Should this not be the case then wait until they have fixed the site before changing it (you could of course disable your account in the meantime).
These services have allready been fixed and you can safely change your password:
- Tumblr
- Google/Gmail/YouTube
- Amazon Web Services
- eBay
- Dropbox
- Netflix
- SoundCloud
- OKCupid
- Wunderlist
- Telenor
Lists are being updated on this page with information and advisory if you need to change password: http://mashable.com/
2. You could (even if the bug is not fixed actually!) enable 2-factor authentication for your services. Main services that have this already is Google, Facebook, Twitter, Microsoft and more.
Google: http://www.google.com/landing/2step/
Facebook: https://www.facebook.com/note.php?note_id=10150172618258920
Twitter: https://blog.twitter.com/2013/getting-started-with-login-verification¨
Microsoft: http://windows.microsoft.com/en-us/windows/two-step-verification-faq
Most of these services provide an app for Android or Apple phones/devices that you could use for code generation or you would get an SMS on your phone. Using 2-factor authentication protects you more when the passwords are leaked on the Internet as the “stealer” also needs to get your phone to be able to log in. In the future all services must provide some kind of 2 factor I think!
For more information about the bug that has been discovered read this: http://heartbleed.com. If you have a server service using OpenSSL you should immediately take action to close this security hole and preferably also issue for new SSL certificates for your service when the bud is fixed.
Final information, this bug has been patched like crazy by the big authentication providers around the world over the last few days and most of the big services have been patched already and at least I have not heard of anyone exploiting this still. The big concern however is that the bug have been in the “wild” for 2 years and in this time anyone could have found out and exploited this in silence. The way the bug works actually leaves no trace if this had been done and if they never published anything then they are sitting on a huge backdoor into many systems. This is the reason you really have to change your passwords, no matter what…. and again, go enable 2-factor, that is the best protection!
Recent Comments