Author Topic: Heartbleed flaw  (Read 4382 times)

0 Members and 1 Guest are viewing this topic.

Offline Maik

  • Administrator
  • Forum Deity
  • *****
  • Posts: 35167
Heartbleed flaw
« on: Wednesday, 09 April, 2014 @ 23:00:29 »
Quote
Heartbleed Bug: Public urged to reset all passwords

Several tech firms are urging people to change all their passwords after the discovery of a major security flaw.

A researcher at the University of Cambridge Computer Laboratory said it would be an overreaction to say everyone should drop what they are doing to reset all their passwords, " ... it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so."
http://www.bbc.com/news/technology-26954540


Offline Maik

  • Administrator
  • Forum Deity
  • *****
  • Posts: 35167
Re: Heartbleed flaw
« Reply #1 on: Friday, 11 April, 2014 @ 04:00:37 »
Quote
A lot of folks are going around at the moment telling the public to change all of their passwords in response to the serious Heartbleed internet security bug.

That’s awful advice.

You should only change your password in response to the Heartbleed bug after a website or internet company has:

1. Checked to see if it is vulnerable
2. Patched its systems
3. Grabbed a new SSL certificate (having revoked their previous one)
4. Told you it is fixed

The danger is that if you change your passwords *before* a website has been fixed, you might actually be exposing your credentials to *greater* risk of being snarfled up by people exploiting the vulnerability in the buggy versions of OpenSSL.
http://grahamcluley.com/2014/04/heartbleed-bug-passwords/


Affected sites where you *should* change your password include Facebook, Google/Gmail, Yahoo/Yahoo Mail and Amazon Web Services, according to the BBC. On other websites you should only change your password if you use the same password for multiple websites.

If you receive an email from a website stating that you should change your password don't follow a link in the email, it could be the email is a carefully constructed phishing email designed to replicate a genuine email, in which case you'd be giving away your current password, see In the wake of Heartbleed, watch out for phishing attacks, disguised as password reset emails. Instead, visit the website via e.g. a link you've saved in Bookmarks / Favourites and then change your password.

GGi isn't affected by the Heartbleed bug.
« Last Edit: Friday, 11 April, 2014 @ 04:03:40 by Maik »

Offline Maik

  • Administrator
  • Forum Deity
  • *****
  • Posts: 35167
Re: Heartbleed flaw
« Reply #2 on: Wednesday, 16 April, 2014 @ 00:47:25 »
Quote
Up to 50 million Android devices could be vulnerable to Heartbleed attack. Here’s how to check yours
http://grahamcluley.com/2014/04/heartbleed-android/