Time to change your passwords

Bramblethorn

Sleep-deprived
Joined
Feb 16, 2012
Posts
16,660
For those who haven't already seen, there's a hideous bug in one of the common implementations of SSL (used to keep your web traffic secure... when it works). The bug was present in code for a couple of years. It's unknown whether any of the Bad Guys were aware of this before it was publicly announced, but they certainly know now and you can bet they're scrambling to take advantage of it.

I'm not an IT security pro, but there's a good summary of the issue here.

For those who aren't running websites themselves, some things to do:

Use this tool to check the security of any website that has confidential information of yours. If they're vulnerable, nag them to fix it ASAP. (NB: in some jurisdictions it may be illegal to use tools to test for vulnerabilities, because lawmakers are idiots.)

NB: The tool above only checks whether they're currently using a vulnerable version of SSL. If they have updated but were previously vulnerable, it's possible that their security certificates were compromised; if this is the case they'll need to update certificates. (You should be able to check the issue data of a certificate via your browser; here's how to do it in Firefox and IE.)

If you're using Chrome, make sure your preferences are set to check for revoked certificates (see first link above for instructions). Unfortunately this is off by default in Chrome; I think FF and IE have it on by default.

Once the site and certificates check out OK and NOT before, change your passwords. Until then, avoid transmitting anything you want to keep secret.

Keep an eye out for any signs of unauthorised activity on bank accounts etc.

Watch out for phishing scams: you may well get emails saying "your password has been compromised, click here to reset it". Don't fall for it. Type in the website address yourself.

Be very nice to anybody you know who is in IT security; they're having a bad week.

(And if I have any of this info wrong, please correct me!)
 
Last edited:
This may explain why my FTP access was shutdown for my websites. My provider said they were working on the problem and they would inform me when it was back up, but they didn't mention the heartbeat problem. I'll have to ask now.
 
For the computer illiterate people like me in the world, I have no clue what any of that means or what I'm supposed to do, if anything. :confused:

I know, I know. I should learn more about this stuff. And I am trying.
 
For the computer illiterate people like me in the world, I have no clue what any of that means or what I'm supposed to do, if anything. :confused:

I know, I know. I should learn more about this stuff. And I am trying.

Yeah, it's not a simple issue :-/ OK, I'll see if I can make this more user-friendly.

Step 1: make a list of websites where you send confidential information. The main risk here is financial stuff: web banking, utility companies, etc etc.

Ideally, all these companies should be contacting YOU and telling you whether they're vulnerable and what you need to do about it. But most of them probably won't, so...

Step 2: go to this website and paste in the URLs for each of those confidential websites. By now, they should have patched the SSL vulnerability, and you should get an "all good" message.

If you get a "something went wrong" message it probably still means they've patched. But if you get a red warning message, you should avoid giving them confidential information (don't log in until the problem is fixed - use phone banking etc) and you probably want to call them up and nag them to fix it.

Step 3: once you've confirmed that they're patched (or getting a "something went wrong", probably good enough) wait a couple of days and then change your password for that site. Do this for every site on your list. If you have some spare time on the weekend, set aside half an hour or so for password changes.

(If you have the know-how, this is where you'd be checking SSL certificates. But by the weekend, most companies who are going to fix up their certificates will have done so.)

Step 4: keep an eye on bank/credit card statements and watch out for anything suspicious, especially over the next couple of months.

Step 5: Be very wary of any email you get that reads like this:

"This is **** Bank alerting you that your account has been compromised by the Heartbleed bug. Please click on this link to update your details and change your password."

If you get a message like that, it may well be a "phishing" attempt - somebody trying to steer you to a fake website and get you to give them your password. Don't click on links in emails like this.
 
Thanks, I'll follow through.

I spent the last four hours ridding the laptop of . . . something . . . I picked up searching for a PowerPoint template from a site I've used before.

So my brain is fried. :eek:
 
Thanks, I'll follow through.

I spent the last four hours ridding the laptop of . . . something . . . I picked up searching for a PowerPoint template from a site I've used before.

So my brain is fried. :eek:

It wasn't the fake Windows Defender, was it?

Because I had a prompt come up trying to fool me into clicking it today, and it was on a site I'm on almost daily, which I consider beyond reproach.

Fortunately, I knew not to touch it. Closed it with task manager, and came up with clean scans afterwards.
 
It wasn't the fake Windows Defender, was it?

Because I had a prompt come up trying to fool me into clicking it today, and it was on a site I'm on almost daily, which I consider beyond reproach.

Fortunately, I knew not to touch it. Closed it with task manager, and came up with clean scans afterwards.

Nope, I know not to touch those. It was called MySearchDial . . .
 
Still makes me wonder if one of the major ad servers didn't get hacked, even though it wasn't the same malware. That's a logical place to look when otherwise safe sites suddenly have nasties.
 
Still makes me wonder if one of the major ad servers didn't get hacked, even though it wasn't the same malware. That's a logical place to look when otherwise safe sites suddenly have nasties.

I try to be careful of where I go but it happens. I lost my PC to a trojan last year.
 
Back
Top