Saturday, 12 April 2014

SOS Heartbleed Bug

We use https sites for financial transactions, or the website automatically go to it's secure version with the padlock sign visible when we sign in our user name and password. For years we've been confident in using this secure connections and believing the entries we make are hidden away from prying eye's because it has been encrypted. Then the discovery of the heartbleed bug changes everything.

What is the Heartbleed bug?

Heartbleed is a flaw in OpenSSL, the open-source encryption that makes sensitive data into unreadable or scrambled state that is used by most websites. Example is when your transaction involves going into your bank account and you type in your user name and password. You might have already noticed that the site will change into https and a padlock sing appears at the top or at the bottom of a page. It is not only financial sites that support https connection, even  email or chatting on IM.

During the secured connection, the website and the server communicates and they check each other if they are still connected by sending a small packet of data(heartbeat) that asks for a response. 

The flaw or programming error on the OpenSSL can let a well-disguised packet of data originating from a hacker that looked very similar to these heartbeats to trick the server into sending data stored in its memory and viceversa. These data include user name and passwords, even credit card numbers. But the worst that can happen is when the encryption key is handed over. This is like the master key of all the encoded messages and data stored in the server and sites .

With the encryption keys handed in the wrong hands, secure or encrypted data will be readily available to read and with the correct credentials, it is possible that any account will be compromised. Adding to the worry is the attack is untraceable. And if these affected websites and servers do not change the encryption keys, even future accounts will still be susceptible to such attacks.

How Do You Know If You're Affected

66% of websites use OpenSSL including major sites include Facebook, Instagram, Tumblr, Google search, Gmail, Yahoo and Yahoo Mail, Netflix, YouTube, Amazon web services, Dropbox, and LastPass. So if you have accounts to these sites then you might have been affected. Banks and other sites that make financial transactions are most likely targeted by hackers. The widespread presence of the flaw is enough to be alarmed. Patch for the flaw is already available and has been implemented by the affected sites and servers. You can check if a certain site is still vulnerable to the flaw by going into the site below.

How To Protect Your Account

Change Password

The best way to protect your account is to change your password. It is recommended that you will only do this when the website (where you user name and password might be compromised) has already implemented the patch.  You can check this by going into the site above.

Check Your Financial Statements

As store websites are connected to your bank account or credit card company, the best way to know that somebody has been spending your money without your knowledge is to keep a closer look to your invoices and bank statements. Report any suspected transaction however little the amount is. 

No comments:

Post a Comment


Popular Posts