Heartbleed
The first issue to arise, and one that could affect almost everyone, is called ‘CVE -2014-0160’, otherwise known as the ‘Heartbleed bug’. This is linked to a flaw in the security protocol (OpenSSL) that is used to create a secure link between your computer and a website where you have entered a user ID and password, and may have stored personal information, such as credit card or bank account details. Hundreds of thousands of websites use this software to create the ‘s’ (meaning ‘secure’) in ‘https://’, the part of the web address that you see when you are purchasing something online for example. Whilst most banks and very large commercial sites like amazon.com are not at risk, because they have their own proprietary security software, many popular social sites, commerce sites, hobby sites, and even some sites run by governments, use OpenSSL to both identify themselves to you and to protect your privacy and transaction. Now it appears that hackers can, and it some cases have, exploited that vulnerability to steal personal information from some of these organisations. Most of these sites will have already updated their systems with a patch to close this vulnerability, however you are strongly recommended to check websites that have your ID and password, and look for any announcements on the site about ‘Heartbleed’. Sites should tell you if they use OpenSSL, and if they do, whether you need to change your password or not.
One of the main problems is that many users re-use the same one or two passwords for everything, from Facebook accounts to bank accounts, from amazon.co.jp to their Apple ID. If hackers can access one set of personal details from one vulnerable site, the danger is that they can then guess your login name (often an email address) and use the password they have uncovered to access any of your other accounts. Since it is a sensible practice to change your passwords from time to time anyway, this would be a very good time to change them all again. As the security expert pointed out, this is not an obscure or run-of-the-mill problem, it is a major one due to the ubiquity of the OpenSSL protocol.
More information about ‘Heartbleed’ can be found here, a BBC news page that has a good summary of what you need to know, and need to do:
http://www.bbc.com/news/technology-26969629
and here, a website set up specifically to inform both users and systems administrators about the bug:
http://heartbleed.com
The first issue to arise, and one that could affect almost everyone, is called ‘CVE -2014-0160’, otherwise known as the ‘Heartbleed bug’. This is linked to a flaw in the security protocol (OpenSSL) that is used to create a secure link between your computer and a website where you have entered a user ID and password, and may have stored personal information, such as credit card or bank account details. Hundreds of thousands of websites use this software to create the ‘s’ (meaning ‘secure’) in ‘https://’, the part of the web address that you see when you are purchasing something online for example. Whilst most banks and very large commercial sites like amazon.com are not at risk, because they have their own proprietary security software, many popular social sites, commerce sites, hobby sites, and even some sites run by governments, use OpenSSL to both identify themselves to you and to protect your privacy and transaction. Now it appears that hackers can, and it some cases have, exploited that vulnerability to steal personal information from some of these organisations. Most of these sites will have already updated their systems with a patch to close this vulnerability, however you are strongly recommended to check websites that have your ID and password, and look for any announcements on the site about ‘Heartbleed’. Sites should tell you if they use OpenSSL, and if they do, whether you need to change your password or not.
One of the main problems is that many users re-use the same one or two passwords for everything, from Facebook accounts to bank accounts, from amazon.co.jp to their Apple ID. If hackers can access one set of personal details from one vulnerable site, the danger is that they can then guess your login name (often an email address) and use the password they have uncovered to access any of your other accounts. Since it is a sensible practice to change your passwords from time to time anyway, this would be a very good time to change them all again. As the security expert pointed out, this is not an obscure or run-of-the-mill problem, it is a major one due to the ubiquity of the OpenSSL protocol.
More information about ‘Heartbleed’ can be found here, a BBC news page that has a good summary of what you need to know, and need to do:
http://www.bbc.com/news/technology-26969629
and here, a website set up specifically to inform both users and systems administrators about the bug:
http://heartbleed.com
Internet Explorer
Microsoft recently issued a security warning to anyone using the Internet Explorer web browser (specifically IE versions 6 through 11, which are the most common versions in use). The vulnerability could allow hackers to take full control of a computer using the browser, and is serious enough that the recommendation was to stop using Internet Explorer until an update is available to fix the problem. Users have been advised to use an alternative web browser (Chrome, Firefox or Safari) until Microsoft issues a patch for the vulnerability. If you have a PC at home with Internet Explorer installed, then you should check for updates from Microsoft regularly (Windows Update is a programme that usually appears under your Start/All Programs menu), or turn on automatic updates so that the patch is installed as soon as it becomes available.
Information on how to enable automatic updates on your computer at home can be found here:
http://support.microsoft.com/kb/306525
Specific information for anyone interested in finding out more about the vulnerability is available here:
https://technet.microsoft.com/library/security/ms13-080
Microsoft recently issued a security warning to anyone using the Internet Explorer web browser (specifically IE versions 6 through 11, which are the most common versions in use). The vulnerability could allow hackers to take full control of a computer using the browser, and is serious enough that the recommendation was to stop using Internet Explorer until an update is available to fix the problem. Users have been advised to use an alternative web browser (Chrome, Firefox or Safari) until Microsoft issues a patch for the vulnerability. If you have a PC at home with Internet Explorer installed, then you should check for updates from Microsoft regularly (Windows Update is a programme that usually appears under your Start/All Programs menu), or turn on automatic updates so that the patch is installed as soon as it becomes available.
Information on how to enable automatic updates on your computer at home can be found here:
http://support.microsoft.com/kb/306525
Specific information for anyone interested in finding out more about the vulnerability is available here:
https://technet.microsoft.com/library/security/ms13-080
RSS Feed