Save content
Have you found this content useful? Use the button above to save it to your profile.

Heartbleed: Is it time to panic?

10th Apr 2014
Save content
Have you found this content useful? Use the button above to save it to your profile.

Ouch!! A bleeding heart? “Heartbleed” Are you at risk?

This is serious. Really serious? Or is it? Apparently the new Heartbleed vulnerability has already put at risk a lot of internet users. It was found in OpenSSL, a popular, open-source protocol used to encrypt vast portions of the web. The vulnerability potentially allows attackers to steal the data from web applications, e-mail communications, instant messaging and some virtual private networks. In other words, it can compromise secret keys used to encrypt web traffic, allowing attackers to steal communications or impersonate other users.

 

What should you do?

Actually, nothing much! Most enterprise class systems (including our own Aqilla cloud accounting software which we regularly test for such things) are already protected.

The vulnerability can only exploit to derive information from memory NOT from underlying database information so you’d have to be pretty unfortunate to have any data held in an unsecure state to be at risk. We’d recommend you be patient and wait a couple of days until the hype is over.

However if paranoia is your thing then you might want to follow Tor’s advice "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle."

Over the next couple of days many websites will be taking steps to make them even more secure. If you are using one of these websites (for example as advised by Tumblr.com earlier today) then it might be a good thing to change your password.

 

To Yahoo! or not to Yahoo?

Yahoo! was discovered to be just one amongst the millions of originally vulnerable to the problem, as Ronald Prins from security firm Fox-IT tweeted yesterday: “We were able to scrape a Yahoo username & password via the Heartbleed bug. Sounds bad? Well maybe not quite so. Yahoo! have already confirmed that all of their applications including the Yahoo! Homepage, Yahoo! Search, Yahoo! Mail, Yahoo! Finance, Yahoo! Sports, Yahoo! Food, Yahoo! Tech, Flickr, and Tumblr have all had the requisite fix applied to counter the vulnerability and so are not in danger anymore.

(To put it into context this author has used the same Yahoo! password for nigh on 15 years and had never been compromised, receives no spam and in general sees it as one of the best and most secure web mail systems available today. This is pretty impressive by any standard. Just don’t click on anything you don’t recognise or looks potentially unsafe.)

Tags:

You might also be interested in

Replies (1)

Please login or register to join the discussion.

avatar
By User deleted
10th Apr 2014 12:07

Too late ...

Of course there is a school of thought that goes

By the time the public becomes aware of these problems it is already too late and whatever damage is going to be done has already occurred

Especially bearing in mind that OpenSSL has been around for a while and holes are only just being disclosed

Thanks (0)