FileHippo News

The latest software and tech news

Do you listen to sound advice? Is there too much vulnerability on the Internet?  What happens when you get a potentially dangerous issue and... ‘Heartbleed’ Bug: ‘Change ALL Of Your Passwords’ Warn Security Experts

Do you listen to sound advice? Is there too much vulnerability on the Internet?  What happens when you get a potentially dangerous issue and don’t listen to what people say?  Let me just say that there will be consequences for sticking your head in the sand, so to speak.  Leading security experts are advising the general public to change their passwords in the aftermath of the Heartbleed bug, found at the very core of the Internet.  If I were you, I would sit up and listen to that advice.

The advice should be considered as a sweeping one. ALL of your passwords should be changed. And yes, that includes your financial banking ones, your email accounts, your social networks and anywhere that you have visited to buy anything online.


The Heartbleed security bug affects a widely used technology known as OpenSSL.  This technology is used to encrypt communications on the Internet.  You will have encountered OpenSSL nearly every time you have visited a website.  You know it is there because there is a visual representation in the form of a little padlock image in the corner of your browser window, indicating the website is ‘secure’

Unfortunately, a team of three security researchers have established a fatal flaw at the core of some versions of OpenSSL, which could have let hackers steal password and other personal data without a trace, leaving no way to follow them, for up to two years.

Whilst the software flaw has been fixed and is being rolled out by different companies worldwide, the problem is too late if your communications have been followed by hackers at any period of time in the last two years.

In the last few days it has become substantially easier for anyone to exploit the hack, security company NCC Group has warned.  “The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago…Someone with a moderate level of technical skills running their own scripts – the Raspberry Pi generation – would probably be able to launch attacks successfully and gain sensitive information,” the firm told the BBC.

Meanwhile, the blogging platform Tumblr has advised users to change all of their passwords  and not just for its own site.

They said in a statement, “Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the Internet. That includes Tumblr.  We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.  But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.”

A security researcher at Google and three researchers from Codenomicon discovered the bug. Worryingly, the vulnerability has existed since at least December 2011, though it is unclear if hackers have used it.  The team of researchers who found it add that there is a “bright side” to their discovery, “For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.”

OpenSSL released the following statement along with the patch,  “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.  Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.”

As always, if you would like to leave a sensible comment, then please do so in the comments section below.

[Image via cultofmac]