Recently a new cell phone security problem has appeared called Heartbleed. It has especially effected all websites that are using the SSL configuration (https:). It was disclosed on April 7,2014 and it is estimated that at least 17% or half a million of supposed secure websites are vulnerable unless they takes measures to "patch" the access. Forbes cybersecurity columnist Joseph Steinberg wrote, "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet." (quote source here) It is ironic that these are supposedly the most secure sites that use https:
What does this mean exactly to the average user and what can be done? It is a serious problem because your private information including credit card numbers and passwords is at risk of hackers. It is basically a high-level programming error, which now has a "patch protection" or a new SSL configuration that many companies have now installed. However, not all have protected themselves as yet. There is a test you can apply to see which ones are protected. Simply go to this site and type in the URL of the company you want to test. If the site is corrected, it's a good idea to change your password. However, if the site has not been patched, it's best just not to use it until the situation changes. Here's the testing site: https://filippo.io/Heartbleed/
There is another aspect to this problem and this is perhaps why it is considered to be such a threat. The hackers also have access to the SSL codes, a long string of numbers and letters that verify the site as certified to encrypt information on these sites. Apparently this has been a problem for several years already. The outcome is that hackers have access to pretend they are the established sites. Again many of the effected companies using open SSL have established new codes, but not all of them. It seems they should be required to make this change soon. What his means for users such as you and I is that we need to be extra-careful of phishing, both ones that are accessed through bookmarks as well as hackers contacting us through e-mail messages.
By the way, the security company, Codenomicon gave this security bug its name and contributed the logo. The name stems from the fact that there is "missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension", according to Wikipedia. It's just part of tech-speak but an interesting name, don't you agree?
No comments:
Post a Comment