IMPORTANT: How the Heartbleed Bug Affects You

[EagleRose]

Independent researchers at Codenomicon and Google Security discovered a major bug embedded in SSL, a popular internet-wide encryption technology. Dubbed the Heartbleed Bug, this SSL weakness has “left [a] large amount of private keys and other secrets exposed to the internet” with “ease of exploitation” as the attackers leave no trace of their intrusion, according to Heartbleed.com, a website dedicate to answering general and technical questions about the bug. Cybersecurity group CNW stated yesterday that the bug can “easily steal server encryption keys, usernames, passwords, instant messages, personal emails, transactions, and sensitive business information.”

How does it work? SSL standard has a heartbeat option (hence the name) and allows a computer to send a small message to check connection. What Codenomicon and Google found is that someone could design a trick heartbeat to fool SSL into opening up secrets on a computer’s memory or RAM.

Here is Heartbleed.com’s short summary: “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

The researchers said servers exposed to the bug included Apache and nginx, which two-thirds of all websites run on. The vulnerability was introduced in late 2011 and was released with OpenSSL 1.0.1 on March 14, 2012. After they caught the bug several days ago, the researchers contacted the OpenSSL team, who then created a new release to address the problem before they the bug was made public.

What can users do? Unfortunately, not much. The heavy hitters of the Internet like Yahoo, Google, Microsoft, Facebook have already taken steps to implement the new SSL release. But because the weakness was out there for so long, it’s best to reset all of your passwords, as they may have been intercepted. Also, one website is designed to check the protection of whatever site you want to visit.

Perhaps Tumblr put it best in a post on its blog: "That the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit. This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."

Story at: http://www.popularmechanics.com/technology/gadgets/tech-news/how-the-heartbleed-bug-affects-you-16679116?src=spr_TWITTER&spr_id=1457_52441044

[TronRP]

I'm like screw it, why don't everyone just become information brokers, hack their way into everything on the web, try to be the first to sell the information for money, steal the information back, sell again to the next highest bidder, repeat...

Face it, there is nothing safe...as long as you have it, someone wants it, someone will get it eventually, you will start the process of rebuilding (and again)...repeat...