Heartbleed is an open source software bug using OpenSSL that was announced on April 7, 2014 to be an issue that “allows an attacker to read the memory of a server or a client, allowing him or her to retrieve, for example, a server’s SSL private keys. Examinations of audit logs appear to show that some attackers may have exploited the flaw for a couple of years before it was rediscovered and published. The San Jose Mercury News says Bloomberg News reported that the NSA knew about this flaw for at least two years and didn’t report it to the public and used it to gather intelligence information. The NSA denies this allegation.
This now-infamous Heartbleed security flaw is known to have affected countless popular websites, including Google, Yahoo, Facebook and IFTT. The exact number of servers effected by this bug is not known but the number appears to be significant. The vulnerability may possibly affect roughly two-thirds of the world’s Websites, a staggering estimate that has thrown Internet, e-commerce and cloud providers into a state of high alert.
Google, who discovered this bug, has fixed this bug on all of the Google servers. Forbes cybersecurity columnist, Joseph Steinberg, described the bug as potentially “the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet. Source
What you need to determine is whether a site you use is vulnerable to this bug. CNet has a list of safe or unsafe sites.Digital Trends also has a list and also a list of iOS, Android and Windows 8 Apps affected by this bug.
LastPass has set up a page where you can type in the web site you want to check to see if it is a safe site or not.
The Washington Post says that Heartbleed affects “also the networking equipment that connects homes and businesses to the Internet,” as well as, “Internet-connected devices such as Blu-ray players.”
If you are using an Android Device you should install the HeartBleed Detector App from Lookout Mobile Security.
However, Apple has recently announced that Heartbleed doesn’t effect iOS, OX, or iCloud. Source
ConnectedLiving recommends you purchase Apple Products.
Andrew Cushman, senior director of the Security Incident Response unit for Microsoft Azure, wrote in an April 9 blog post, “Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability,” Cushman wrote. “Windows’ implementation of SSL/TLS [Secure Sockets Layer/Transfer Layer Security] was also not impacted,” he added. His company does not employ OpenSSL to terminate SSL connections on Azure Web Sites, Pack Web Sites and Web Roles, Cushman wrote. “Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.” – Source
This bug affects a large number of network servers on the public network. The bug could be exploited to repeatedly harvest random bits of information from those public servers using the vulnerable version of the OpenSSL . Not all servers are vulnerable. The vulnerable ones should be patched within short order, if they are not already patched. Apple devices are never vulnerable to any direct attack since iOS, OSX, or iCloud doesn’t use Open SSL.
If you provided a login and password to an vulnerable webserver, it is possible that your login and password are known to a third party which was exploiting the bug to harvest information for the vulnerable server. The vulnerability has existed for about two years.
Basically, it’s time to revisit and change the passwords you use to access public websites.
Moreover, you should not use the same password for multiple sites. If your login (usually an email address) and password are the same on multiple sites, someone could use the login and password and access your accounts on other sites where you have an account.
There are many different password managers that will generate unique passwords for every site you visit. These password manager programs are installed on your computer and will create and remember the secure password for you and make it easy to visit sites without remembering the different passwords. ConnectedLiving recommends 1Password for the Mac and iOS. It isn’t free and there is a small learning curve associated, but that goes with the territory. Apple recommends iCloud Key Chain.
For more information on passwords read this post.
To understand Heartbleed in non technical terms read this article by Stack Exchange.
