Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

Heartbleed Bug: What regular users need to do

Apr 10, 2014 2:33AM PDT

Varying Opinions:

Heartbleed bug: What regular users need to do

As the news of the existence of the Heartbleed bug in OpenSSL and the implications of its existence trickles down into mainstream media, users are trying to figure out what passwords to change and which software to update.

To help with this, SANS keeps a list of vendors who have already issued updates or have noted that they weren't vulnerable in the first place and, as far as I can tell, Mashable has the most thorough list of Internet services and their current status regarding bug mitigation activities and notes on whether users should proceed to change their passwords on their accounts.

If you are a Facebook, Tumblr, Google, Gmail, Yahoo, Yahoo Mail, AWS, GoDaddy, Intuit, Dropbox, LastPass, OKCupid, SoundCloud, or Wunderlist user, go change your password immediately, and make it good (long, complex and unique). This would also be a good time to start considering the use of a password vault tools or services.

Continued: http://www.net-security.org/secworld.php?id=16671

* * * * * * * * * * * * * * * * *

Graham Cluley: Here's some really bad Heartbleed bug advice about changing your passwords

A lot of folks are going around at the moment telling the public to change all of their passwords in response to the serious Heartbleed internet security bug.

For instance, here's what the Tumblr website (owned by Yahoo) has told its users: [Screenshot]

The emphasis on one particular paragraph was added by me. And it's this section which I have a concern about:

This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.

That's awful advice.

You should only change your password in response to the Heartbleed bug after a website or internet company has:

Continued : http://grahamcluley.com/2014/04/heartbleed-bug-passwords/

* * * * * * * * * * * * * * * * *

Also See:
"Heartbleed heartache" - should you REALLY change all your passwords right away?
CNET News Video: Tips to protect yourself from Heartbleed
How to protect yourself from the 'Heartbleed' bug

Discussion is locked

- Collapse -
Carol.
Apr 10, 2014 2:38AM PDT
- Collapse -
Thanks !!
Apr 10, 2014 3:16AM PDT

I didn't see it. Sad

As seems to be happening as of late..... I forgot to refresh the page. Otherwise, I would have added mine to yours.

Thanks again, Dafydd. It's much appreciated!
Carol

- Collapse -
Brian Krebs: Heartbleed Bug - What Can You Do?
Apr 10, 2014 4:12AM PDT

In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here's a short primer.

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the Internet's Web sites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.

Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the Internet to force Web site servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

That chunk of data might include usernames and passwords, re-usable browser cookies, or even the site administrator's credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.

Continued : http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/

References made (Krebs and Bruce Schneier) in NYT article: Flaw Calls for Altering Passwords, Experts Say

- Collapse -
Calm down and breathe...
Apr 11, 2014 11:34AM PDT

First off, you have no idea which sites were vulnerable. Sure a lot of sites run *nix as an O/S like LastPass would like you to believe is bad, but hitting a LoadBalancer running 0.9.8X isn't. Next is windows services with static libraries using the vulnerable versions of OpenSSL are still susceptible, and I really doubt that many people even checked to see. First step like Graham Cluley states is to test the site first. If you know it's vulnerable, give them a call and let them know. PS it's not just websites, but email, SSL VPNs, etc that run OpenSSL. So if you find a service that is effected, wait till it's fixed to change the password or cancel the service if it isn't fixed. What help is it going to do if you use another password that potentially gets taken in memory and given to the next guy running a scan? I can run through a load of servers with nmap now and find the effected servers in minutes without even trying, so the bad guys can too.
As far as your bank account and really important services, I would suggest either calling to find out, or scanning and changing the password if you find it not vulnerable.
PS. Using a Password utility is always a good idea... But I'm hoping for two factor authentication like Google's Authenticator takes hold first, just a PIMA when you phone goes dead.

- Collapse -
(NT) Most banks are NOT affected
Apr 12, 2014 1:20AM PDT
- Collapse -
Stuck using the heartbleed vulnerable OS android 4.1.1
Apr 17, 2014 1:03PM PDT

Could anyone here help me to understand what those of us can do who are stuck using the Android 4.1.1 that Google says is vulnerable to the heartbleed security problem? I am in Canada and so far have not been able to find a way that Samsung, will allow me to update to a more secure OS. (The defective android 4.1.1 OS is on a p3113 2.7 galaxy tab, which was purchased new, less than a year ago)

If the whole device is vulnerable, does it do any good to change passwords and avoid unsecured websites? Should I avoid using this device completely, or just avoid using it for anything involving a password? Or is this only a concern when it comes to sensitive financial transactions?

As most of this devices functionality involves syncing, would using synced services like gmail that are shared with other devices put information on those other devices at risk of security problems?

I am just an average older person and not technically adept. I would really appreciate some advice.


<div>

</div>