A bug is an programming error in software. This one is so relevant, that it got its own name, "heartbleed". It's a flaw in an encryption module that is used all over the internet. Many secure web servers use it to encrypt the communication with their users, and an estimated 17% of those public servers are vulnerable to the attack, allowing attackers to break the encryption and even get their hands on confidential information on those servers (including the servers' keys and certificates)—without leaving a trace.
The bug was discovered on Apr 3, 2014 and publicly announced four days later, but it existed in the software since December of 2011.
What are the consequences?
There is a software update available to close the vulnerability, and many affected companies have already installed it. Nevertheless, your information on the affected servers could have been accessed by attackers for almost two years. Even after fixing the bug, attackers might have continued access to your data if they stole your password. Allegedly, the NSA has been using the exploit, there might be others.
Is rogr.io affected?
Yes, our service used the encryption module vulnerable by heartbleed. We've closed the bug on Apr 7, 2014 and are deploying new server certificates.
- Find out if the services you're using have been affected.
- Watch communication messages in your email and see blog posts and other communication.
- Find a list of the major players affected here: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.
- Contact other services that manage confidential data of you.
- Change your passwords on the affected sites, but only after the bug has been fixed.
- Enable 2-factor authentication wherever possible.
In which order should I change my passwords?
- Many services rely on your email to reset passwords or authenticate information. Therefore, first re-establish secure email access in case it was compromised (e.g., Gmail).
- After this, change your passwords on affected sites, but, as mentioned before, only after the web site en question has fixed the heartbleed bug.
- As a safety measure, we recommend the following two additional steps:
- If you're using 2-factor authentication, disable it and then enable it again, forcing the server to store your credentials again.
- Enable 2-factor authentication on all web sites that offer it (e.g., Google, Facebook, Outlook.com, AWS, Tumblr).
Sources:
- http://heartbleed.com/
- http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
- http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
- http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
- http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
- http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
- http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
No comments:
Post a Comment