Many information security companies are urging people to change all their passwords after the discovery of HeartBleed. OpenSSL, a cryptographic library used to digitally scramble digital sensitive data, is vulnerable to compromise and eavesdropping.
The Yahoo blogging platform Tumblr, for example, has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".
However, other experts stress that there is no evidence of cybercriminals having harvested the passwords, and are advising users to check which services have fixed the flaw before changing their login.
On Monday April 7, Google Security and Codenomicon - a Finnish security company - revealed that a flaw had existed in OpenSSL for more than two years that could be used to expose the secret keys that identify service providers employing the code.
Cybercriminals making copies of these keys could steal names and passwords and potentially set up spoof sites with the stolen credentials.
It is currently unknown whether the exploit has been previously used, as doing so would leave no trail if left unpublished.
Google reportedly warned a select number of organizations about the issue before making it public, in order that they could update to a new version of OpenSSL released at the start of the week. Yahoo, amongst others, were not included on the list and it has been reported that user names and passwords were obtained from Yahoo before it was able to apply the fix.
Heartbleed Advice From Industry Experts
The Heartbleed revelation has shocked the information security community. Infosecurity Magazine has compiled some of the advice and comments from experts in the industry:
- "Catastrophic is the right word. On the scale of one to 10, this is an 11" - Bruce Schneier.
- "The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago. As long as service providers have patched their software it would now be a prudent step for the public to update their passwords" - Ollie Whitehouse, NCC Group
- “Users should check with their go-to websites that contain sensitive information such as their banking and email providers and ask them if they were affected, and if so, how they have patched the vulnerability. Once the provider has confirmed their service is fixed, users should also change their passwords” - John Miller, Trustwave
- “Consumers concerned by Heartbleed should review advice provided by the organisations they interact with using Secure Sockets Layer (SSL) communications. This may include changing passwords, remembering not to use the same password across separate systems, running up-to-date anti-virus software and enabling automated software updates” – Peter Allwood, Deloitte
- “Guidance for consumers: Stop all transactions for a few days. There are also websites you can point at websites you visit to see if they’re patched yet, like this: http://filippo.io/Heartbleed” – Mike Lloyd, RedSeal
- “The public should take note that internet banking, email and file storage may have been compromised by this bug and should now avoid using these services for a couple of days if possible” – Chris Eng, Veracode
- “To save your time on table reading and certificate checking, you can simplychange your password on all these sites: Facebook, Instagram, Pinterest, Tumblr, Yahoo, AWS, Box, Dropbox, Github, IFFT, Minecraft, OKCupid, SoundCloud, Wunderlist. Use a unique password for each site!” – Kaspersky Labs
- “Internet users need to be on red alert right now. Heartbleed doesn’t just enable hackers to eavesdrop communications and steal sensitive data; it calls into question the very security that keeps the heart of the Internet beating. The fact that the vulnerability in OpenSSL appears to have been introduced two years ago, means everyone should be getting online now and changing their passwords” - Simon Eappariello, iboss Network Security
- “The ‘heartbleed bug’ seems to exploit a tiny error, overlooked in the original coding. This shows just how important it is for due process and care to be taken in the development stages of new software. It also once again demonstrates that traditional perimeter security is dead and that security breaches are inevitable – organisations need to realise this and allocate resource to finding and containing threats once they have gained access to the system” – Tony Caine, HP Enterprise Security Products