'Heartbleed' The Internet Is Under Attack, Security Patches Underway

Cnet:

The Heartbleed bug is serious. Disclosed less than two days ago, the Heartbleed bug has sent sites and services across the Internet into patch mode.

A flaw in software that’s widely used to secure Web communications means that passwords and other highly sensitive data could be exposed. Some say they’ve already found hundreds of Yahoo passwords.

A major new vulnerability called Heartbleed could let attackers gain access to users’ passwords and fool people into using bogus versions of Web sites. Some already say they’ve found Yahoo passwords as a result.

Heartbleed graphicCodenomicon

The problem, disclosed Monday night, is in open-source software called OpenSSL that’s widely used to encrypt Web communications. Heartbleed can reveal the contents of a server’s memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.

Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who’s used them to change passwords too, because they could have been intercepted. That’s a big problem as more and more of people’s lives move online, with passwords recycled from one site to the next and people not always going through the hassles of changing them.

“We were able to scrape a Yahoo username & password via the Heartbleed bug,” tweeted Ronald Prins of security firm Fox-IT, showing a censored example. Added developer Scott Galloway, “Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail…TRIVIAL!”

For an in-depth explanation of what exactly Heartbleed is, and what it does, read this post by  Stephen Shankland. In essence, the bug potentially exposed your username and password on sites like Facebook, Google, Pinterest, and more.

Using Alexa.com, we plan on going through the list of the top 100 sites in the U.S. and asking “Have you patched the Heartbleed bug yet?” Once we have an answer, we will fill in the chart below with the response.

While we wait to hear back, we will be testing the sites against the Qualys SSL Server Test. There may be some instances where the patch isn’t detected, in which case we will mark the site as “be on alert.” When a site is marked as such, you should proceed with caution and contact the site or company directly if you have any questions pertaining to your account security.

You may notice some companies will be marked as “Was not vulnerable.” In that case, the site in question does not use the type of OpenSSL encryption this bug was based on and your data was never at risk.

 

Site Qualys Confirmation from site
Google Pass Vulnerability patched. Password change recommended
Facebook Pass Vulnerability patched. Password change recommended
Instagram Pass Vulnerability patched. Password change recommended
YouTube Pass Vulnerability patched. Password change recommended
Yahoo! Pass Vulnerability patched. Password change recommended
Amazon Pass Awaiting response
Wikipedia Pass Vulnerability patched. Password change recommended
LinkedIn Pass Was not vulnerable
eBay Pass Was not vulnerable
PayPal Pass Was not vulnerable
Twitter Pass Was not vulnerable
Chase Pass Was not vulnerable
CNET Pass Was not vulnerable
CBSSports Pass Was not vulnerable
Blogspot Pass Vulnerability patched. Password change recommended
Bing Pass Vulnerability patched. Password change recommended
Live Pass Vulnerability patched. Password change recommended
Craigslist Pass Awaiting response
Pinterest Pass Awaiting response
CNN Be on alert Awaiting response
Tumblr Pass Vulnerability patched. Password change recommended
Espn.go.com Pass Awaiting response
WordPress Pass Awaiting response
Imgur Pass Awaiting response
MSN Be on alert Vulnerability patched. Password change recommended
Microsoft Pass Vulnerability patched. Password change recommended
Flickr Pass Vulnerability patched. Password change recommended
Blogger Pass Vulnerability patched. Password change recommended
Googleusercontent.com Pass Vulnerability patched. Password change recommended

This list is going to be live and constantly updated; please return to view the latest information as we get it.

Leave a Reply

%d bloggers like this: