Massive security issue for Facebook, Google and many more

Something really nasty to tell you all about. It’s not the easiest thing to put across, but it is very important, so I’ll do my best.

The ‘Heartbeat’ bug.
A gaping security hole has been discovered in something called OpenSSL. SSL (Secure Sockets Layer) is a mechanism which is used to encrypt data communication between your PC and a server. When SSL is working correctly, anyone intercepting such data would see only the encrypted version and it would be of no use to them whatsoever. The identified security hole is only in OpenSSL (there are other providers of SSL and these are not affected) and it allows the interception of unencrypted chunks of data, potentially revealing your passwords, personal, financial and login information to hackers – without leaving any trace at all. This vulnerability has gone unnoticed by the ‘good guys’ for around 2 years. It’s not known if the ‘bad guys’ have exploited this weakness during this time (but you can bet your bottom dollar they’ll be trying now!).

OpenSSL is utilised by millions of sites/accounts – including such biggies as Facebook, Instagram, Tumblr, Google, Yahoo, GoDaddy, Flickr, SoundCloud, Youtube, Barclays, Dropbox and LastPass.

So what’s to be done? Well, initially, the onus is very much on the affected vendors to update OpenSSL to the latest version. On your part, you need to make a list of every account you have, every site you log into and check if a) they use OpenSSL and b) if so, have they installed the latest ‘fixed’ version of OpenSSL. There’s a list which will give you this information for many of the most common sites at

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

If a site was using OpenSSL and have since installed the fixed version, then you need to change your password on that site as soon as possible. Don’t use any password you’ve used before (either on that particular site, or elsewhere). If, in the past, you’ve used the same password on multiple sites, then bear in mind that only one of those sites needs to have been compromised for hackers to have the password to all of them.

There’s not much point changing passwords on sites where the insecure version of OpenSSL is still being used (as your password etc would still be vulnerable) – but if you’ve used that same password on updated/unaffected sites.. then change your password on those asap.

In future, make sure you have strong, unique passwords for every logon. Consider using a password manager such as KeePass, Password Safe, LastPass, Roboform etc (which means you only have one ‘master’ password to commit to memory).

If necessary, keep a very close eye on your bank accounts etc for unauthorised activity.

I’ll leave it to others to re-post this in the most appropriate places.

Dan