Heartbleed (CVE-2014-0160)

Before you started using the internet for paying bills and online banking… do you remember initially being paranoid and refusing to do these things because you didn’t think it would ever be safe?

You were right.

For the last two years, over 60% of all internet servers have had a bug named “Heartbleed” that could allow hackers to steal user names, passwords and all kinds of personal information without detection. Making matters worse, there was no way to log this activity, so there is no evidence trail.

Watch your bank/financial statements very closely for the next few months.

“Secure sites” are websites you log in to that show HTTPS or a padlock once you are logged in.

Do not login to a secure site until you know it is safe to do so. You will have to call each company or look at their site to see if they were affected or not and (if they were affected) if they have fixed the problem – and you will have to repeat these steps for each of your secure sites.

If a secure site is reporting they were affected and have patched the problem you should immediately login and change your password.

Also beware of phishing attempts. If someone calls you with 2 or 3 tiny pieces of information and then asks you to fill in 50 blanks (bank account, credit card, date of birth, social security number)… HANG UP.

 

Google Accounts Compromised

Please note that some domains have Google Apps for Domains installed. Your domain email might be using Gmail even if you don’t personally have an @gmail.com address. These Google Apps for Domains accounts are also affected. Jjwinter.com and Sodpit.com Google accounts were affected. Change your passwords!

Google account user names, passwords and personal information were compromised by the Heartbleed bug (even though this information was compromised there is no way to know if hackers actually captured any of it). Google has fixed the problem and claims nobody should have to change their password. Despite this assertion, I still recommend you change your password now and possibly setup 2-step Verification.

If you use Microsoft Outlook, Mozilla Thunderbird, Windows Live Mail or another email client, you will have to update your password to match your new Google password

Password recommendations: 1) don’t use any of these: “password”, “123456”, “12345678”, your pet’s name, your kid’s name, your name, your name backwards, part of your login username, etc., 2) use upper and lower case and symbols when possible, 3) use eight or more characters and 4) use a different password for each site. I will do a separate post for strong passwords at another time. You can use Microsoft Excel on your computer or a password manager (LastPass, Dashlane, 1Password, Roboform, SplashID, mSecure or KeePass, to name a few) to keep track of your passwords. Up to now, none of the password manager websites have reported being vulnerable to Heartbleed.

 

Heartbleed Patch Lists

Patch List #1 – 4/11/2014 (Last checked at 9:00 AM CST): Google/Gmail, Facebook, YouTube, Yahoo/Yahoo Mail, Wikipedia, Bing, Pinterest, Blogspot, Instagram, Tumblr, Espn.go.com, Reddit, Netflix, Yelp, GoDaddy, Etsy, Vimeo, Flickr, Blogger, Dropbox, Outbrain, Washington Post, googleusercontent.com, Feedbin, Pinboard, GetPocket, IFTTT, Amazon Web Services (for website operators), Intuit TurboTax, USAA, Box, GitHub, Minecraft, OKCupid, SoundCloud and Wunderlist.

Patch List #2 – 4/14/2014 (Last checked at 10:00 AM CST): Reddit, Weather.com, Yelp, Stack Overflow, Vimeo, USPS and Wikia.

All of the sites in the above “patch lists” have been patched (fixed) and confirmed. If you have accounts with any of these services you should login and change your password as soon as possible.

You should not change your passwords for any sites which haven’t been patched and confirmed.

 

Other Sites

These sites may have been compromised by the Heartbleed bug and it is not yet safe to change your passwords: Twitter, H&R Block, IRS, Box, Hulu and WordPress.

So far, no banks have reported problems from this bug… but that does not mean they are all automatically safe. Manually visit their site and look for information about this problem in their news, blog or their social media accounts or call them.

 

Live Updated Lists

Use these links to see the current status of different websites.

The Heartbleed Hit List: The Passwords You Need to Change Right Now

Which sites have patched the Heartbleed bug?

 

Proceed With Caution

Here are the three possible scenarios (from best to worst) for every website/service where HTTPS is used AND you have a login (user name and password):

1 – The site/service was not vulnerable to the Heartbleed bug. Your login credentials were never compromised and you don’t have to change your password (but you can change it if you want to).

2 – The site/service was vulnerable to the Heartbleed bug but they have since patched the OpenSSL libraries and they are now safe. Your login credentials and personal information were compromised and you should now login and immediately change your password. Even though this information was compromised there is no way to know if hackers actually captured any of it.

3 – The site/service has been and continues to be vulnerable to the Heartbleed bug. Your login credentials and personal information were (and still are) compromised, however it is NOT safe for you to login or attempt to change your password. Even though this information was compromised there is no way to know if hackers actually captured any of it.

 

Fallout

Heartbleed Fallout: Change All Your Passwords – only on SAFE sites.

 

More Information

Heartbleed Detector for Android

“The Heartbleed Bug” by Codenomicon

OpenSSL Security Advisory [07 Apr 2014]: TLS heartbeat read overrun (CVE-2014-0160)

Heartbleed bug undoes Web encryption, reveals Yahoo passwords

All versions of Android are immune to this bug except Android 4.1.1 which is affected. If you have an Android phone go to Settings > About and check your version. If you are running 4.1.1 email me.

 

Official Company Announcements

I will probably drop this section later.

Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)

http://status.twitter.com/post/82109064906/ssl-security-update

 

Original Article 4/9/14

Normally HTTPS is a good thing… but right now it’s not. Please avoid going to bank websites or Yahoo mail or almost any other site that wants you to login with HTTPS (not just HTTP). Please pay attention to the address you are loading… look for a padlock or a secure symbol. If you see one, don’t login. Most sites requesting you to login are using HTTPS. Avoid all of them for now.

If you want to test a website to see if it is safe (theoretically speaking), please use one of the links below – but until the company actually makes a public announcement regarding this problem (if it is fixed, if they were affected, etc.) you must assume it could be vulnerable and you should NOT use their site.

Test a server for Heartbleed (CVE-2014-0160)
LastPass Heartbleed Checker
Qualys SSL Server Test

If you absolutely need to login to a certain website you must first manually navigate to the company’s website and look for information about the Heartbeat bug or call them to make sure it is safe to proceed. After you have verified it is 100% safe to proceed, login and immediately CHANGE YOUR PASSWORD.

Resources
How to protect yourself from the ‘Heartbleed’ bug
Heartbleed OpenSSL Security Issue
National Vulnerability Database Summary for CVE-2014-0160