The Heartbleed web security flaw – runaway, runaway! — UPDATE: NSA scumbags knew about the bug for 2 years

heartbleed

It seems as though every week or so there’s a new hack or exploit that reveals millions of passwords or important data from a popular web service, and this week is no exception. On Tuesday, IT professionals got word of a serious flaw in OpenSSL — the browser encryption standard used by an estimated two-thirds of the servers on the internet. The flaw, which was dubbed “Heartbleed,” may have exposed the personal data of millions of users and the encryption keys to some of the web’s largest services. Here’s what you need to know:

It’s a bug in some versions of the OpenSSL software that handles security for a lot of large websites. In a nutshell, a weakness in one feature of the software — the so called “heartbeat” extension, which allows services to keep a secure connection open over an extended period of time — allows hackers to read and capture data that is stored in the memory of the system. It was discovered independently by a security company called Codenomicon and a Google researcher named Neel Mehta, both of whom have helped co-ordinate the response…

As Tim Lee at Vox points out in his overview, the lock that you see in your browser’s address bar when you visit a website “is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher.” But researchers found it was possible to “send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information…”

What can you do about it?

If you are a web user, the short answer is not much. You can check the list of sites affected on Github, or you could try a tool from developer Filippo Valsorda that checks sites to see if they are still vulnerable (although false positives have been reported), and you should probably change your passwords for those sites if you find any you use regularly.

RTFA if you want all the gory details. The bug is 2 years old albeit just discovered; so, no one has a clue how long evildoers may have been screwing around with folks’ accounts at sites containing the bug.

I’d suggest reading the list at Github and staying away from sites on the list – until they disappear from the list. Changing passwords – as suggested – at affected sites is a good idea as well. Though I can think of problems happening if you’re pinged while doing exactly that. If and when sites are certified clean, then, change your passwords and do a thorough job of it.

UPDATE: NSA scumbags knew about the bug for two years and used it to break into encrypted communications – rather than notify American companies and consumers so they might protect themselves…http://tinyurl.com/mq8owa2

6 thoughts on “The Heartbleed web security flaw – runaway, runaway! — UPDATE: NSA scumbags knew about the bug for 2 years

  1. eideard says:

    The list at github is pretty useful. Most of the sites I visit are clean. Though, I see that Google has added a patch, as well. So, I changed passwords associated with Google.

    1Password rules.

    • moss says:

      You shouldn’t worry, anyway. Apple users, iOS and OSX, can’t be affected.

      http://tinyurl.com/kn23pb8

      The comments/discussion are funny for the tiny world inhabited by developers. The sum of discussion = developers CAN be affected. But, only if they’re using non-Apple software as part of their projects. 🙂

  2. Louie Renault says:

    I’m shocked, shocked to learn the NSA knew about the flaw in OpenSSL and has been using it to break into encrypted communications. Also for what it might be worth: “The NSA has specifically targeted either leaders or staff members in a number of civil and non-governmental organisations … including domestically within the borders of the United States.” (Edward Snowden, testimony to the Parliamentary Assembly of the Council of Europe on Tuesday April 8th http://www.theguardian.com/world/2014/apr/08/edwards-snowden-us-government-spied-human-rights-workers)

  3. Jimmy Higgins says:

    As for the UPDATE: Remember two things about the United States and lawlessness. [1] Start with Guatemala and Iran and understand that liberal and conservative domestic politics are meaningless when issues are formed by nationalism (often confused with patriotism), foreign policy and imperial might (often confused with patriotism). [2] In 1981, Ronald Reagan made almost the first act of his first term in office as president executive order 12333 – the core authorization of so-called intelligence gathering still used by our domestic and foreign spies. Some of us on the Left realized that at the time. Just as we always half-joked about the CIA being liberals, the FBI being conservatives and the NSA being nazis. And it was Reagan who turned loose the NSA.

    • keaneo says:

      And no one since did a bloody thing about the corrupt powers of the NSA. Year by year, no matter which administration, they slithered around our lives unhampered by Congressional pimps providing phony oversight.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.