You Are Here: Home » E-Threats » Alerts » Caution Advised as Heartbleed Poses Serious Security Threat

Caution Advised as Heartbleed Poses Serious Security Threat

A potentially damaging flaw has been discovered with the OpenSSL libraries that will likely trigger reactions ranging from mild concern to paranoia.  We may never fully know the extent of the damage – or indeed if any damage at all was caused – but Bitdefender advises its customers to exercise caution.

The Heartbleed bug could give anyone who knew about it unfettered access to secure web sites across the internet that use certain versions of OpenSSL, which is used for SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. This means that a thief could enter a secure site, steal sensitive information that everybody thought was secure, and leave without a trace.

The SSL and TLS protocols are used to secure e-mail, web applications, some VPNs, messaging services and more. This means thieves could have made off with encryption keys, private messages, passwords, confidential documents and virtually anything else that users thought was protected.

It is not immediately clear how many people or web sites have been endangered by Heartbleed, but OpenSSL is the default encryption library of Apache and Nginx server software, which are used by 66 percent of the sites in the world, according to the Netcraft April 2014 Web Server Survey.

That doesn’t automatically place them all at risk. The bug is present in versions issued from December 2011 onward. OpenSSL advises in a note that “1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g.”

Yahoo!, Flickr, Wunderlist and other popular services have been vulnerable to the bug and their users may have been affected. Facebook, Google and many of the other most popular destinations on the web, meanwhile, are protected from the Heartbleed bug. However, the risk is high and it is still present.

In the meantime, we advise users to exercise caution even when using sites that they assume to be secure. As always, security on the internet is rarely as certain as users assume.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About The Author

E-Threat Analyst

A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Number of Entries : 298

Comments (2)

  • Cristian

    Multumim de semnalare!
    Insa ce ar trebui, ce putem face?
    Afirmatia din final este mult prea genrala: “we advise users to exercise caution even when using sites that they assume to be secure”

    Reply
  • Loredana Botezatu

    Thank you for your question, Cristian.

    The truth is that there’s not much you can do. But what you can and should do is change your accounts’ passwords. Or better yet, change them again sometime next week in case not every website has patched this vulnerability by now.

    If you are concerned about your credit card data and the money in your accounts, make sure you check your account balance very closely and repeatedly. If and when you notice a suspicious activity, let your bank know immediately.

    As a rule of thumb, you should regularly change your passwords. And always choose complex passwords. It is advisable that you use a combination of words, letters, signs and numbers. For more details on how to create strong passwords, check out our blog post on The Art of Creating Strong, Yet Easy-to-Memorize Passwords – http://www.hotforsecurity.com/blog/internet-privacy-the-art-of-creating-strong-yet-easy-to-memorize-passwords-875.html.

    If you are running a critical service that is exposed to the Internet and relies on OpenSSL, we advise you to immediately take the server out of production, update the OpenSSL library with the patched one, revoke and renew the SSL certificate and log out all user accounts to ensure that the upcoming sessions are secured.

    Reply

Leave a Comment

© 2012 Powered By Bitdefender

x
Loading...
Scroll to top