heartbleed-bug

The NSA Knew Of HeartBleed Bug For Two Years And Used It To Spy On The Internet

The NSA knew about the Internet security bug Heartbleed and regularly used it to gather intelligence for at least two years, anonymous sources told Bloomberg.

If the report is true — both the White House and the NSA say it’s not  — the NSA could have collected information like passwords and private communications from hundreds of thousands of websites, since Heartbleed is a bug in the popular open-source encryption software OpenSSL, used to secure data flowing from users’ computers to hundreds of thousands of websites, including Gmail and Facebook.

Almost two-thirds of all sites on the Internet use OpenSSL, according to estimates, making this bug possibly one of the most dangerous the Internet has ever seen and potentially allowing the NSA to access information on millions of users.

Matthew Prince, the CEO of security firm Cloudflare, tweeted that it’s “hard as a tech company today to not feel like we’re at war with our own government.

Despite the outrage, this revelation doesn’t come as a complete surprise for many. Over the past few days, some have already speculated whether the NSA used Heartbleed to breach SSL, since documents leaked by Edward Snowden revealed the spy agency has been trying to breach it for years.

It would not at all surprise me if the NSA had discovered this long before the rest of us had,” Matt Blaze, a cryptographer and computer security professor at the University of Pennsylvania, told Wired. “It’s certainly something that the NSA would find extremely useful in their arsenal.

Watch: What Is The HeartBleed Encryption Bug

3
Source

Hey, guys, here’s a list of the major websites that were impacted by the Heartbleed bug and what their current status is (this was created only a few hours ago so it’s up-to-date). Thankfully, the most important site of all (meaning, the site that would really fuck you over if it was hacked into), PayPal, was never vulnerable in the first place, so if you use PayPal, your credit card and bank account information has always been safe.

mashable.com
The Heartbleed Hit List: The Passwords You Need to Change Right Now

A look at which companies have issued a security patch to fix the Heartbleed bug.

Hey friends, I know this might seem like a huge pain in the ass, but you gotta change your passwords. This is one of the biggest internet security flaws in history and your personal data including your credit card info could be compromised. I had to change my Tumblr password TWICE today because of suspicious activity. This isn’t a joke. Before changing your passwords makes sure to check the above linked list on Mashable and make sure that the flaw has been patched on that specific sites AND THEN change your password. Also, if you have Gmail or are using Gmail for business, it’s a good idea to set up 2-step verification just to be extra safe.

The Heartbleed Bug Master Post

Why did Tumblr give you the friendly reminder when you logged in?There has been a bug spreading over the internet as of yesterday, and it has been the worst one of them all. The Heartbleed Bug can hack accounts from all users of a site. Some that have just been hacked are Yahoo and NASA. To help you survive on one of these risky situations, #TopDoge is here to help! To be more aware, click on the links in this master post to stay safe in times like these. Stay Safe AND CHANGE YOUR PASSWORDS AS SOON AS POSSIBLE. 

(SECOND UPDATE)

Heartbleed Bug: Which Passwords to Change

I work for a large organization and the IT department just sent out this notice about the Heartbleed Bug:

Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen. As sites fix the bug on their end, it’s time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private – email, banking, shopping, and passwords.

Don’t change all your passwords yet, though. If a company hasn’t yet updated its site, you still can’t connect safely. A new password would be compromised too.

Many companies are not informing their customers of the danger – or asking them to update their log-in credentials. So, here’s a handy password list. It’ll be updated as companies respond to CNN’s questions.

Change these passwords now (they were patched)

Google, YouTube and Gmail

Facebook

Yahoo, Yahoo Mail, Tumblr, Flickr

OKCupid

Wikipedia

Don’t worry about these (they don’t use the affected software, or ran a different version)

Amazon

AOL and Mapquest

Bank of America

Capital One bank

Charles Schwab

Chase bank

Citibank

E*Trade

Fidelity

HSBC bank

LinkedIn

Microsoft, Hotmail and Outlook

PayPal

PNC bank

Scottrade

TD Ameritrade

Twitter

U.S. Bank

Vanguard

Wells Fargo

Don’t change these passwords yet (still unclear, no response)

American Express

Apple, iCloud and iTunes

Healthcare.gov

So instagram’s having its downtime at this moment and I have this feeling that it’s related with the OpenSSL controversy or the so-called heartbleed bug. I am fond of reading articles thanks to that habit, I am well-informed and I read the news about this encryption flaw. I’ve been reading articles concerning this for almost 3 nights now and I thought it was just a threat until tonight, some bloggers posted their reactions about Instagram’s misbehavior and I was cringing in horror because it’s true.

There’s no article/statement published yet telling what’s happening with IG now and I can’t wait to read ‘em. I’m panicking! Ohmygod! What if the exploiters target Tumblr next? Twitter? Facebook? Youtube? especially Yahoo which serves as an interconnection of every social networking sites we have? and other OpenSSL-based sites? Ugh let’s pray for it not to happen. So yeah, while waiting for further news, I think we should all read this and be aware of what’s happening. Please be guided accordingly! It’s for everyone’s safety.

Click and read this article.

on tumblr password security, relevant to the spamming threats.

There’s a post going around talking about how certain spamming groups are getting tumblr user passwords because “tumblr’s security sucks.”

It does.  By default.

What they SHOULD probably do is make ssl the default, but the truth is, many social media systems do not.  But, there’s good news!  YOU can enable it on your own account!

1) go to the gear at the top of this screen.  Click on it.

2) on the new page, go to the right menu and click on Account.

3) in the Security section, switch the toggle for Enable SSL Security ON.

This is all it takes to start browsing Tumblr behind an encrypted SSL.  BUT, Tumblr also provides added security measures should you choose to use it, which after the Heartbleed bug a few months back, became a commonly-provided option for security.  It’s called two-factor authentication, and it tethers your device to a phone number.

To enable two-factor authentication:

1) follow steps 1-3 above, then toggle Two-factor authentication to ON.

2) provide your mobile phone number where requested.  Click Enable (or save or whatever…it should be pretty obvious)

3) enter the code texted to your mobile phone in the required blank.  Click save or enable or whatever it prompts you to do next.

Read this FAQ about Tumblr security if you need more information.

One more thing I would recommend, frankly, is that you disconnect tumblr from any apps that promised you free smileys.  To check what you’ve connected your account to, go to the right pane and click on Apps.  If there are any applications connected to your account that are not legitimate applications from legitimate publishers, I’d suggest you remove them for now.

Oh, and on a final note, make your password HARD TO HACK.  Make it whatever you want, but the trick here is if you’re not going to make it complicated with lots of special characters, AT LEAST MAKE IT REALLY REALLY LONG.  Like, over 26 characters long.

That’s all I’ve got.  Good luck.

Change Your Passwords ASAP

Some have heard of this, some may have not. But there’s a recent issue that is harming a lot of people right now, and you can be one of them.

The Heartbleed Bug is sharing your username and password to sites like Facebook, Gmail, YouTube, Yahoo, and even Tumblr! And that’s not all of the list of sites that are affected. Even Netflix!

CNET has given a list of other sites you can take a look and see if you are in need of changing your password (scroll to the bottom, and see if actions are necessary for the website).

Please do this - I’ve been exposed with my account before (Yahoo) and it is very frustrating to lose your profile to someone else. It really is.

Let others know about this if you can.  

2

For those of you who’re (rightly!) concerned about the Heartbleed bug and how (or whether) it affects sites other than Yahoo, Tumblr, Flickr and imgur: here’s a recently-done scan of sites that were found earlier this week to be vulnerable to Heartbleed, and may or may not have been patched.

If you have a login at one of these sites, go and find out if their server’s been patched to fix the vulnerability: and if it has, change your password. There’s no proof that anyone has so far scraped these sites for your signin data… but there’s no way to get any proof: that’s unfortunately the nature of this particular beast. 

Please don’t wait too long before taking action. The estimate right now is that about 66% of all websites’ servers had this vulnerability, and it’s going to take a while to make them all safe. Meantime people need to be proactive about their online security.