Big, nasty security bug Heartbleed – what to do

heartbleed

You know those “secure” websites, like banks and eBay, where there is a little padlock in the address bar next to the URL? Well, apparently, in 2011 somebody sneezed when they were writing the security code that most of the banks and other “secure” websites use – and a bug landed in the code.

On Monday, someone in Finland and someone else at Google spotted that there was something wrong. They found the bug and realised that it is very. very easy for anyone to get your username, password and loads of other stuff when you log in to one of these “secure” sites. Not just that, but anyone can easily get these “secure” sites to tell them the user names and passwords of people who have logged in at some time in the past.

When I say “anyone” I mean, of course, that nerd next door and anyone else who understands the techie jokes in “Big Bang Theory”.

What is happening now is that all the nerds and “Big Bang Theory” fans are just playing around, testing different “secure” sites and seeing how much info they can download. Just for a larf.  I’ve seen them at it on Nerd Forums!

Luckily, most nerds are not nasty but there will be other people out there who are not doing this for a larf.

Hackers can use this information several ways. For example:

  • to impersonate you, eg. to log in to your bank account or email account (if you have a Yahoo! email account you DO need to change your password now).
  • to impersonate a website, eg. to pretend to be that bank or online shopping site that you love and trust.

There is a lot of lengthy technical information about this on the internet – this article is short and intelligible to mere humans like you and me: Lifehacker Heartbleed Info

Great news, isn’t it?!

  • What you DON’T want to do is go scurrying about changing all your passwords without checking first if the sites you use have updated their code.
  • What you DO want do is check which passwords to update now and which ones to do later, when the affected secure sites have wiped their noses and got clean hankies in their pockets.

The easy way:

Use the LastPass Security Check – this is being updated to accommodate people who do not already store their usernames and passwords with LastPass.

  • The Security Check will only show sites relevant to you and, of those, only those which are or have been affected by the Heartbleed bug. (By “you” I mean “the passwords and user names you have locked up safe and sound in your LastPass vault”. If you do not already do this, now would be a good time to start. )
  • After you run the security check, some sites might have “Wait” next to them. If so,  you need to go back and keep checking using this tool until it says “Go update!”.  Once a day should be quite often enough.

The more tedious ways:

Use a site like this one to check each site individually http://filippo.io/Heartbleed/

That was the first site on the internet offering site security checks for Heartbleed. There are more and more just like it popping up all over the place. Be wary and only use a security checking site if you are sure it is legit.

  • You do NOT need to pay for a Heartbleed Security Check – some sites are cashing in by charging for security checks but there are plenty of free ones around.

UPDATE: The first and last pages of this reader-friendly article from Mac Observer sum it up nicely – the middle pages explain the situation in more detail: “Dealing with Heartbleed – What you need to know

 

Advertisements

Ukulele Cosmos Back in Business!

Update: 11th Oct 2012

GOOD NEWS! UKULELE COSMOS IS BACK! :-)

The general “internet safety” advice below still holds good, wherever you roam in cyberspace . . .

Alli B, who runs the Ukulele Cosmos forum, worked hard and got the hack-attack problem on the forum in 2012 sorted out very quickly.

Every one of us can take a few simple steps to protect our computers and personal information from hackers, wherever they lurk.

I am not a computer security expert.  These are my personal suggestions for the order in which to investigate and take action to protect your computer and your personal information.

Good Luck!

Lizzie


01) Firefox web browser | International versions: Get Firefox in your language

Download page for Firefox English GB version

Firefox is recognised as one of the safest, if not the safest, browsers. You can make it even safer by installing specific “add-ons” aka “extensions”.

If you do not like Firefox, have a look at Seamonkey: many Firefox add-ons work with Seamonkey.

Other safer alternatives to Internet Explorer are Google Chrome and Safari. Firefox, Seamonkey, Google Chrome and Safari. All have Google Safe Browsing embedded already.

Information on: Google Safe Browsing

02) “Must Have” Security, Functionality and Performance Add-ons :: Collections :: Add-ons for Firefox

This is a collection of “basic security” Firefox Add-ons that I have put together.

Some of them help to make browsing the internet even safer. Some of them improve Firefox functionality and performance. Not all of them will work with Seamonkey – I will compile a similar collection for Seamonkey.

Note:  One of the best ways to protect your self from being ambushed by malware downloads is to use the NoScript add-on.  This is available for Firefox and Seamonkey.  There are similar-sounding add-ons for other browsers but they will not protect you as comprehensively as NoScript.

03) Viruses, Trojans, Malware – and other aspects of Internet Security: Apple Support Communities

Apple Support Forum – Viruses, Trojans and Malware

Mac computers do not get Mac viruses because no one has bothered to make any (there have been two reported maybe?)

However, Mac computers can get Windows viruses and Mac users might inadvertently pass them on to Windows users, eg. via emails.

Mac computers have been targetted by Trojan malware. If you want to know the difference between viruses and trojans, read the other articles in this set of links.

04) 1 in 5 Macs has malware on it. Does yours? | Naked Security

Sophos Mac Malware Study

Sophos says: “One in every five Mac computers is harbouring some kind of malware, a new study from the experts at Sophos has revealed. Sophos has revealed a disturbingly high level of malware on Mac computers – with both Windows and Mac threats being discovered.”

Sophos provides a free anti-virus app for Macs. There are others around that are as good or perhaps even better. Sophos is one that is generally highly recommended. If you don’t like it, try one of the others – do a search for “best free Mac anti-virus”.

05) Malware – Good to Know – Google

Info from Google about online safety and malware.

06) Strange pop-ups and other malware – Web Search Help

More info from Google about signs of malware.

07) How can I tell if my computer has a virus?

Info from Microsoft about malware.

08) How do I remove a computer virus?

Info from Microsoft about malware removal.

09) How to tell if your computer has the Malware Virus and what to do about it | news10 net

More info about a common type of malware.

10) How to Tell if Your Computer Is Infected by a Trojan Horse

More info about malware: trojan horses

11) StopBadware – Information for Internet Users

More info about malware – very good guidance.

12)  Sucuri Blog Search Results

Info about the malware that hackers injected into the Ukulele Cosmos forum.

13) Malware Campaign | Sucuri Blog

More info about the malware that hackers injected into the Ukulele Cosmos forum.

14) Google Diagnostic (updated 11-11-2012)

A site infected with malware will usually show up with a warning next to its name in Google Search Results.  Some browsers (see below) will automatically redirect you to a very obvious “warning” page if Google has detected malware on the site.

If you do not use a browser with Google Diagnostic embedded (Firefox, Seamonkey, Safari, Google Chrome) you can use the form or bookmarklet on this page to check if it is safe to visit a site:

http://grapethinking.com/google-safe-browsing-diagnostic

Unless your computer is well protected with a fire-wall, anti-virus scanner, etc. it is safest not to visit a site if the diagnostic page says:

“Site is listed as suspicious – visiting this web site may harm your computer.”


As I said above, I am not a computer security expert.  If you have better suggestions than I have made above, please post them as comments below.

The Ukulele Cosmos Forum is a great, friendly place to visit.  All best wishes to Alli and may the hackers rot in hell!