It has recently been discovered that there is a severe vulnerability in the way sensitive data is handled and transmitted on some web servers using an encryption method known as OpenSSL.
OpenSSL stands for Open-source Secure Sockets Layer, and is used to encrypt sensitive data going between a users computer and a web server/website. OpenSSL has a function built in to it that periodically checks that a users computer is still connected to the server and the connection is alive. This function is known as the heartbeat (just like checking a persons pulse to see if they are alive). It is by exploiting this heartbeat function that fraudsters and cyber criminals could emulate these heartbeat checks and spoof the server into sending back sensitive information kept in its temporary memory or RAM. Such information could include users passwords, name, address, email address, and credit/debit card numbers.
What can you do to protect yourself?
I have seen several newspaper articles and supposed advice columns suggesting that everyone should immediately change all their on-line passwords for all the websites they use. This could potentially be the worst thing you could possibly do!. If the server has not been patched with an updated “FixedSSL” version of OpenSSL then potentially you could be logging into websites that are still compromised, updating you passwords and effectively sending them to the cyber criminals.
If you are concerned about any of the websites that you use, under no circumstances try to log into them. The first thing to do is to use an online checker (details of some good checkers are at the end of this post) They will validate that a server has been updated to patch the heartbleed bug. Only if the checking service reports that the website has been updated with the FixedSSL patch and is safe should you attempt to log in. Once logged in you can then update or change you passwords and security information. Most commonly used website are taking steps or already have fix this bug.
The top websites that were once vulnerable but have subsequently been patched and reported to be safe to use again are:
5. Yahoo Mail
There are potentially 100’s of thousands of other websites that either once were vulnerable, or still are. Just because a website no shows as being safe, does not necessarily mean that it has always been safe so it would still be wise to exercise caution and keep a close eye on any social media accounts, bank accounts, web mail accounts and on-line retail accounts for any suspicious activity/purchases/messages.
Good online checkers include:
https://lastpass.com/heartbleed/ – This site will validate if a site is currently safe to use, for how long it has been safe to use, as well as advice if it was once vulnerable. It will the offer recommendations on how you should proceed.
https://filippo.io/Heartbleed/ – This website will check and report if a website should be safe to use. Not as informative as the first but still helpful.
Finally for Google Chrome browser users there is a plugin called Stopbleed which will inform you if a website you are visiting is vulnerable to the Heartbleed bug or not. Remember if a site reports it is vulnerable, it does not mean the site is not safe to visit, just not safe to enter an personal or sensitive information in to it.
Stopbleed can be downloaded and installed into Chrome from here: Download Stopbleed for Chrome.