Find-A-Code Focus Newsletter

OpenSSL Security Breach Never Affected FindACode.com

By Taylor Smith
April 09, 2014

FindACode.com Members: Your security was never at risk on FindACode.com, however we recommend you verify with all other websites that you have sensitive personal or billing information (a username and password) that your private information was never vulnerable. Some major sites like yahoo.com have already fixed the breach, but were vulnerable up until just recently. If you have an account with yahoo.com or any other un-secured site, we recommend you change your passwords immediately.
Sincerely, 
Your Find-A-Code Administrators

You can read the article below for more information:

An exploit known as the “Heartbleed Bug” has shown up in the OpenSSL cryptographic library, and it could essentially allow attackers to gain access to highly sensitive information, including credit card numbers, usernames, passwords, and other important data.

“This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs),” reads a description of the bug on the Heartbleed.com website.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.”

It can compromise secret keys used to encrypt web traffic, allowing attackers to eavesdrop communications or impersonate other users.

“As long as the vulnerable version of OpenSSL is in use it can be abused,” the website states. Fixed OpenSSL was released but it has to be deployed en masse, the website added.

“Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use,” Heartbleed.com reads.

Ronald Prins of security firm Fox-IT tweeted about testing the bug. “We were able to scrape a Yahoo username & password via the Heartbleed bug … Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail…TRIVIAL!” he wrote.

Earlier in the day, Yahoo said it fixed the primary vulnerability on its main websites.

“As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now. We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data,” the company stated, according to CNET.

AP update:

NEW YORK— Passwords, credit cards and other sensitive data are at risk after security researchers discovered a problem with an encryption technology used to securely transmit email, e-commerce transactions, social networking posts and other Web traffic.

Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It’s not known, though, whether anyone has actually used it to conduct an attack.

Researchers are advising people to change all of their passwords.

The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Researchers say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw. OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.

A fix came out Monday, but websites and service providers must install the update.

Yahoo Inc.’s Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials said they had no evidence of any breach and had immediately implemented the fix.

“But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr’s blog post read. “This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.”

The flaw was discovered independently by researchers at Google Inc. and the Finnish security firm Codenomicon.

http://www.theepochtimes.com/n3/609175-heart-bleed-bug-imperils-web-encryption-putting-passwords-credit-cards-at-risk/


share
 

More Items in April 2014


To view more items select a month from our "Items by Month" list.

Or view documentation, coding and billing articles.

 

Poll

How likely are you to recommend Find-A-Code to a friend? 1 = not likely, 9 = very likely

News Items by Month
February 2022- 1
2021 - View
2020 - View
2019 - View
2018 - View
2017 - View
2016 - View
2015 - View
2014 - View
2013 - View
2012 - View
2011 - View
2010 - View
2009 - View
2008 - View
demo
request yours today
subscribe
start today
newsletter
free subscription

Thank you for choosing Find-A-Code, please Sign In to remove ads.