Many websites running SSL encryption were exposed to a major security bug called Heartbleed.
The Heartbleed bug affects web servers running Apache and Nginx software, and it can expose private information in the websites, applications, web email and even instant messages.
According to this Github list , lot of websites including yahoo are vulnerable to this security bug.
Most of the websites that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. And, they ask the users to change their passwords. Note that you should change your password only after you get confirmation about patch update. i-e you should not change the password before the patch getting applied to the affected sites.
Despite speculation that the Heartbleed flaw was deliberately created by government agencies to spy, German programmer Dr Robin Seggelmann has now come forward and confessed to causing the problem. He admitted the mistake itself was ‘trivial’, but added that its effect is ‘clearly severe’. The code was added on New Year’s Eve in 2011 and no-one spotted the mistake until earlier this month.
According to security experts, Hackers could crack email systems, security firewalls and possibly mobile phones through the “Heartbleed” computer bug.
The “Heartbleed” bug was reportedly discovered by a member of Google’s security team and a software security firm called Codenomicon.
The U.S. Government warned that hackers are attempting to exploit the ‘Heartbleed’ bug in targeted attacks by scanning networks to see if they are vulnerable. It asked organizations to report any Heartbleed-related attacks to the Department of Homeland Security (DHS).
DHS has published below message in its website.
Information sharing is a key part of the Department of Homeland Security’s (DHS) important mission to create shared situational awareness of potential cybersecurity vulnerabilities. DHS, through our National Cybersecurity & Communications Integration Center (NCCIC), actively collaborates with public and private sector partners every day to make sure they have the information and tools they need to protect the systems we all rely on.
When a cybersecurity industry report was published three days ago about a vulnerability known as “Heartbleed” – affecting websites, email, and instant messaging – that can potentially impact internet logins and personal information online by undermining the encryption process, the Department’s U.S.-Computer Emergency Readiness Team (US-CERT) immediately issued an alert to share actionable information with the public and suggested mitigation steps. Subsequently, our Industrial Control System-Cyber Emergency Response Team (ICS-CERT) published information and reached out to vendors and asset owners to determine the potential vulnerabilities to computer systems that control essential systems – like critical infrastructure, user-facing, and financial systems. The National Coordinating Center for Communications (NCC) also provided situational awareness to communications sector partners for their review and action. Importantly, the Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat. We are continuing to coordinate across agencies to ensure that all Federal government websites are protected from this threat.
While there have not been any reported attacks or malicious incidents involving this particular vulnerability confirmed at this time, it is still possible that malicious actors in cyberspace could exploit un-patched systems. That is why everyone has a role to play to ensuring our nation’s cybersecurity. We have been and continue to work closely with federal, state, local and private sector partners to determine any potential impacts and help implement mitigation strategies as necessary.
Today we’re also sharing some tips on steps you can take to protect your own personal cybersecurity and information online:
- Many commonly used websites are taking steps to ensure they are not affected by this vulnerability and letting the public know. Once you know the website is secure, change your passwords.
- Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages
- After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.
Cybersecurity is a shared responsibility and when we take steps to ensure our own cyber safety, we are also helping to create a safer Internet for others.
For more cyber resources and tips, please visit www.dhs.gov/stopthinkconnect