If you have listened to the BBC, used Twitter or browsed any of the tech websites in the last 24 hours you have probably seen news about something called the Heartbleed Bug. You may even, as I have, had friends, family and clients asking if they should change all their internet passwords immediately.

Short answer to that question is “no”. The slightly longer answer is that there is no point in changing your passwords on any given website until and unless the vendor or host has actually taken the steps to resolve the Heartbleed Bug issue. That brings us to the much bigger issue of just how open tech companies are going to be about how vulnerable they are and what they are doing/have done to eliminate the bad version of OpenSSL from their systems.

There are plenty of other sites (here and here for example) out there that will give you technical detail of what is wrong with OpenSSL but the executive take-away you need is that very large parts of the internet are deeply broken and if we could turn it off for a few days to fix it that would be dandy.

OpenSSL is a free, open source library used to provide encryption (so typically it changes the text password you type into to a login into an encrypted file) and it is used very widely by websites run on open source code (so Linux based sites in the main) but it is also embedded into many,many bits of hardware like routers, security devices, home automation and an endless list of other things connected to the internet. Currently it is not clear if these items can be fixed.

Now that that Heartbleed bug is in the open it is a race between the hackers writing tools to steal your passwords and vendors rolling out patches and implementing fixes. With the right tool the bad guys can invisibly attack affected devices and web sites and read user names and passwords back.

Anyone running their infrastructure and web services on Microsoft’s IIS web server is feeling pretty smug this morning as they are essentially free of this bug.

This issue is going to run and run so new advice will appear over the coming days.

Mark T

UPDATE
Expect to see a slew of new phising emails
asking you to click on a link to change your passwords from all the big websites – Yahoo!, Google, etc. Don’t do it! If the email is genuine they should ask you to open up a new browser session and go to the website yourself.

 

 

 

by Mr T on Apr 10, 2014 at 9:25 AM

tagged:

Comments are closed.