Heartbleed bug: what to do, who’s affected, who’s done what?

heartbleed
Standard

UPDATED: By now, you should have heard about the Heartbleed bug that decimated encryption for web servers that were using a version of OpenSSL dated December 31, 2011 or later.

The latest news on this ongoing story is on my Storify.

What to do?

Change your passwords on accounts where you would be upset if someone were to steal into a digital trove of personal information — like credit card numbers, for example.

Generally speaking, if you change your passwords before a site implements a patch, you’ll need to change it again afterwards. Tumblr, for example, advised its members to change passwords after it installed the patch. Ditto LastPass, which explained its encryption scheme, one that includes something called perfect forward secrecy.

Check to see if the site has already taken the first step towards correction. And be prepared to change those passwords again after web site admins have completed all steps necessary to plug the hole.

If you use Chrome, install the Chromebleed checker, which “[d]isplays a warning if the site you are browsing is affected by the Heartbleed bug.” But no major site should still have flawed SSL software on Wednesday.

Who’s affected and who’s done what?

According to Netcraft, which monitors the web technology, more than a half million sites are currently vulnerable.

I’ve not found a central location that catalogs which sites have publicly announced their status. So I’m going to link to announcements in a list here.

Prominent sites that were vulnerable

Sites that appear to have been free of the vulnerability

  • 1Password
  • Apple : was not running affected software
  • Bank of America
  • Capital One
  • Chase
  • CNET
  • Craigslist
  • eBay : was not running affected software
  • Evernote
  • LinkedIn
  • Microsoft (Bing, Hotmail, Live.com) : was not running affected software
  • NewEgg
  • NYTimes
  • PayPal
  • Slideshare (owned by LinkedIn)
  • Target
  • Twitter
  • Walmart
  • Wells Fargo
  • Zillow

 

Mashable is now maintaining a list as well.

Web encryption 101

Netscape introduced SSL (secure socket layer) encryption in 1994. Websites that are sharing information securely show that in two ways: the protocol is https instead of http, and you’ll see a lock alongside the URL in the browser.

SSL Lock

On an encrypted site, if someone is “listening in” to the transaction between your computer and the web server, they’ll hear (read) only noise, not plain talk (text).

Today OpenSSL is the dominant form of web encryption, and no one knows how many sites are at risk. However, Apache and nginx run about two-thirds of the sites on the web; both use OpenSSL. “The code library is also used to protect email servers, chat servers, virtual private networks and other networking appliances,” according to PC World. Note: not all passwords are encrypted with SSL.

 

 

 

Updated: 11:00 pm Pacific, April 9
Updated: 9:10 am Pacific, April 10
Updated: 12:30 pm Pacific, April 11

Evernote Security Breach Announcement Includes One (Big) Stumble

Standard

You’ve heard by now that Evernote had a major security breach and is forcing its customers to reset passwords… 50 million accounts.

What you may not have realized is that Evernote’s email announcing the problem – a much more transparent and prompt response to the issue than most of the tech giants who preceded them down this path – included what looked like a spoofed link to a password-reset page.

I learned about this Saturday when a tech friend provided a heads-up re the discrepancy. I wondered out loud if someone was already using the outage as a phishing attack.

But no, the odd link came from Evernote’s email marketing firm.
Continue reading

Beefing Up Facebook Security: How To Set Up Two-Step Verification

Standard

FacebookOne way to make it harder for bad guys to access your online accounts is to require more than a username and password to access an account.

Google uses a two-step verification process tied to account credentials and your mobile phone. So does Facebook.

And as Alex Howard points out, security has always been important but events are conspiring to suggest just how important.

Learn how to set up two-step verification on your Facebook account. Important for anyone, the higher your public profile, the more important.

This means journalists, professors engaged in public scholarship (especially when controversial), celebrities (authors, musicians, actors, directors, models, athletes ….), politicians (of all stripes, elected or candidate), political appointees, judges and high profile lawyers … anyone who manages a Facebook page for someone else …  the list goes on.
Continue reading