The Heartbleed bug has been announced as possibly the most serious Internet-related vulnerability to date. It’s as scary as the Y2K bug, but with one difference – it’s a real threat! More than two weeks on, don’t be fooled, the threat is still very much real.
Many have already been affected by the Heartbleed vulnerability. Whether its website owners or users, account compromises and data breaches have taken place on a daily basis since the vulnerability was first publicized in the mainstream media.
Here is just a short list of some examples of major businesses that have had their security breached through the Heartbleed bug. The first two have direct examples of data compromising of their users, while the third is a bit scarier as it’s on a much larger scale and the damage is yet to be seen.
Canada Revenue Agency
Many Heartbleed vulnerable websites will receive a lot of bad press, but most won’t leave a bad taste in your mouth – but it’s hard to say the same when you’re dealing with a government website. Sadly, the Canada Revenue Agency website was vulnerable to the Heartbleed bug. This vulnerability was even exploited by a hacker, whom was quickly arrested after stealing roughly 900 different Social Insurance Numbers, which are the Canadian equivalent to the American Social Security Number.
Yahoo Service Users
Yahoo was one of the first major websites recognized for being vulnerable to the Heartbleed bug. In fact, we recently reported about Yahoo email accounts getting compromised as a result of the exploit.
In this case, a security researcher simply took it upon himself to text out the exploitability of Yahoo. He made a basic server request and then ended up with a healthy sized cache containing unencrypted credentials of some Yahoo email accounts. That’s right, passwords in plain text!
While Yahoo has since protected their services from the Heartbleed bug, there is no guarantee that you have not been affected through this exploit. As a result, it is a good idea to change the passwords and security info for any accounts that are either connected to your Yahoo account or that share the same information as your Yahoo account.
Android Devices Running Jelly Bean (4.1.1)
Most Android operating systems are safe from the Heartbleed bug. However, the Jelly Bean (4.1.1) version of Android’s operating system is not. This is said to affect upwards of 10 percent of all active Android devices. Many news websites are reporting that the number of affected devices is somewhere in the range of 50 million!
If your smartphone or tablet is running this version, your best bet is to update to a newer one. Google is working on a patch to release, but there is no ETA at this time.
You can also use the Heartbleed Security Scanner app to see if your Android device is currently vulnerable to the Heartbleed bug.
How to Secure Yourself from the Heartbleed Bug
The Heartbleed bug is a vulnerability that affected certain OpenSSL versions, which means that many websites and devices were vulnerable without knowing it. Some were even vulnerable for about two years. The mainstream focus on the Heartbleed bug in recent weeks has helped the entire Web work towards remedying the problem, but not every website and device is protected yet.
There’s not a lot you can do in the lines of protecting someone else’s website. You can take advantage of a website checker before entering any sensitive data to make sure that any websites you use are not vulnerable. Of course, this will only go so far… what about the websites that you used before, especially if they were vulnerable to the bug?
The safest solution available is to simply undergo a complete security info change. Don’t make a partial effort, just change all your login credentials. Even if a password seems safe as it’s on a non-vulnerable website, you may have the same password used on a vulnerable account – this account may also have been breached already, which could give the hacker access to other information that will potentially gain them access to the otherwise ‘secure’ account.
Further, there are services that seem to check your email address by comparing it to data leak lists to see if your email account has been compromised. PwnedList.com is an example of this type of service. While it is interesting and great to use as a one-off to see if any past issues, such as the Adobe database leak, has affected your email account, it is definitely not the right solution to the Heartbleed bug – you want to stop the damage before it happens, not deal with the repercussions after the fact.
An even scarier note is that it is not just affecting websites, smartphones, and tablets, but even other devices like routers – Cisco and Juniper routers were both claimed to be vulnerable to the Heartbleed bug. This opens the door to a question: whether for lack of discovery or to reduce security risks, what else may be or have been vulnerable to the Heartbleed bug that’s not already covered in the media?
The Heartbleed bug is sweeping the world and many expert security researchers are still in the process of identifying the specifics on the exploit and the websites and devices that have been affected. At this time, all you can do is aim to protect yourself to the best of your ability – but make sure to keep up with the latest news as there will surely be new developments that will surface in the next couple of weeks.