Heartbleed - Consumer Threat Alert Update

[Alan Edgar (Eggy1948)]

http://www.youtube.com/watch?feature=player_detailpage&list=PLSKUhDnoJjYn0TV9V84C4Wr2DjKPc492c&v=8oI_laHhGjE

 

Check out the above link on youtube.

This is the notification I received giving a link to a site that has a list of known/possible affected services:-

 

Recently, a major security vulnerability named "Heartbleed" has made headlines around the world. This is a severe vulnerability stemming from a coding mistake in a widely-used security utility called OpenSSL.

The bug affects the encryption technology designed to protect your sensitive data on the Internet, like usernames, passwords and emails.

This is a flaw in the OpenSSL encryption code, not a virus that can be stopped by McAfee or other consumer security software. Because this vulnerability takes advantage of servers, and not consumer devices, businesses need to update to the latest version of OpenSSL to mitigate and address the dangers posed.

The severity of the Heartbleed vulnerability cannot be overstated: several major enterprises use OpenSSL, and are likely affected by this vulnerability as well. The dangers posed by this vulnerability are very real and could affect you if exploited.

So what do you need to do?

• Right now, the best thing you can do is wait to be notified about affected services and patches or you can investigate this list provided by Mashable that has some well known brands listed.
• If you'd like to investigate whether or not a website you frequent has been affected, you can use this tool.
• Reset your password for every online service affected by Heartbleed. But beware: you should only change your password after the afflicted business has fixed its servers to remove the Heartbleed vulnerability. Changing your passwords before a company's servers are updated will not protect your credentials from being leaked.

[threegee]

The server for this website was recently patched... and all related company ones.  Rotating passwords is always a good idea, but few people ever bother.

 

You should focus on the sites where you use https: (the lock thing on your browser), and where cash is involved.  The sheer scale of this is actually a bit reassuring, because criminals have so many potential targets the chances of an individual being victimised are small.  And, if you are a Mac user, you've had no https: security for ages anyway (see my bit in the Computing forum), and only thought you had.

 

It always pays to be paranoid though.  So if you even have to think is this really necessary - just do it anyway!