Reset ALL your Passwords!
09 April 2014, 09:09 PM
#1
Scooby Regular
Thread Starter
Reset ALL your Passwords!
Several technology firms are urging people to change all their passwords after the discovery of a major security flaw.
Security advisers have given similar warnings about the Heartbleed Bug.
It follows news that a product used to safeguard data could be compromised to allow eavesdropping.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.
Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
"Catastrophic is the right word. On the scale of one to 10, this is an 11," blogged Bruce Schneier.
The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.
However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
Security advisers have given similar warnings about the Heartbleed Bug.
It follows news that a product used to safeguard data could be compromised to allow eavesdropping.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products.
Google Security and Codenomicon - a Finnish security company - revealed on Monday that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
They said that if attackers made copies of these keys they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.
"Catastrophic is the right word. On the scale of one to 10, this is an 11," blogged Bruce Schneier.
The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.
However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
Trending Topics
11 April 2014, 11:31 AM
#8
Scooby Regular
Here's a handy site to check if a website has been affected by the bug:
https://lastpass.com/heartbleed/
As mentioned by others, changing ALL your passwords is not necessary, unless it used to access one of the affected sites / services.
Only specific versions of openSSL are affected:
The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
1.0.1
1.0.1a
1.0.1b
1.0.1c
1.0.1d
1.0.1e
1.0.1f
The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL. A lot of companies are not using affected versions of openSSL.
https://lastpass.com/heartbleed/
As mentioned by others, changing ALL your passwords is not necessary, unless it used to access one of the affected sites / services.
Only specific versions of openSSL are affected:
The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in
1.0.1
1.0.1a
1.0.1b
1.0.1c
1.0.1d
1.0.1e
1.0.1f
The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL. A lot of companies are not using affected versions of openSSL.
11 April 2014, 04:32 PM
#10
Scooby Regular
Unfortunately I could only watch via SkyGo as I was in the office working overtime. The Monday morning following that drubbing was great, what with the office being based in Nottingham.
Thread
Thread Starter
Forum
Replies
Last Post
alcazar
Computer & Technology Related
2
29 September 2015 07:18 PM
JackClark
Computer & Technology Related
7
17 September 2015 04:23 PM
aaron_ions
General Technical
1
17 September 2015 10:42 AM