Heartbleed!

Image Here is current information on the Heartbleed vulnerability you have been hearing about this week.  While the majority of what is being released in the news deals with web sites, there is also network hardware that is affected.  As manufacturers release patches BECA will work with you to update any equipment that will require a software patch.  Most of the security issues are web sites that all of us use every day, so please share this information with everyone in your office.  Take note that it does not protect you to change your password on a vulnerable site until it has been “patched” (at the end of this message is a list of popular websites and their current status).  Please feel free to contact us if you have any further questions.

There have been numerous articles going around in regards to the new Heartbleed threat. What this refers to is a problem with the technology used to make secure connections with websites. Typically you would see a tiny padlock icon in your browser next to the “https://” indicating that a website is “secure.” It turns out that this may not be in fact the case. As far back as March of 2012, this vulnerability (referred to as Heartbleed) would allow hackers to potentially gain access to any data that was transmitted to an affected website. Unfortunately, this list is fairly vast and almost everyone may have used or know of someone who has used these websites. Until this vulnerability is fixed with those websites, it still may be unsafe to send personal information to them.

So what do you do? Normally, the best approach when security is potentially compromised is to change your password. However, in this case, changing your password immediately may not be the best course of action. Until a website has corrected the vulnerability, changing your password would only serve to potentially give attackers your new password. We suggest that you wait until the affected website has corrected the problem before attempting to change your password. Typically a website will notify you (via e-mail if you have an account with them) that its corrections have been made. Another good practice would be to ensure your accounts across various websites do not share passwords. Keep this in mind when changing passwords, because it is common practice for hackers to attempt to use your credentials at multiple websites (expecting you to use the same password). This would also mean that even if a website you frequent was not affected, you would still need to change its password if you shared it with a website that was.

There are two resources you can use to help see if there is any action you should take, and to help check websites going forward. The first is This List updated by GitHub on 4/9/2014, which is a historical list of what websites have been affected up until this point. If you find a website you have shared secure information with on this list, you should consider changing your password when it is safe to do so. The second is a real-time tool which can verify if a website is CURRENTLY vulnerable to Heartbleed: http://filippo.io/Heartbleed/ . You can use this link to check if a website is “safe” and if it would be ok to change your password with it.

On a final note: Beware of e-mails asking you to change your password! There are a number of scams already started which send fake e-mails with embedded links to change your passwords for Heartbleed. DO NOT BE FOOLED! Links in e-mails are highly suspect, especially when the sender could be faked. Best practice is to manually visit a website (by typing it in your browser) in order to reset a password. Following e-mail links should be highly discouraged.

 

As of 4/11/2014:

Site

Status

Confirmation from site

Google

Pass

Vulnerability patched. Password change recommended

Facebook

Pass

Vulnerability patched. Password change recommended

YouTube

Pass

Vulnerability patched. Password change recommended

Yahoo!

Pass

Vulnerability patched. Password change recommended

Amazon

Pass

Was not vulnerable

Wikipedia

Pass

Vulnerability patched. Password change recommended

LinkedIn

Pass

Was not vulnerable

eBay

Pass

Was not vulnerable

Twitter

Pass

Was not vulnerable

Craigslist

Pass

Awaiting response

Bing

Pass

Vulnerability patched. Password change recommended

Pinterest

Pass

Vulnerability patched. Password change recommended

Blogspot

Pass

Vulnerability patched. Password change recommended

CNN

Be on alert

Awaiting response

Live

Pass

Was not vulnerable

PayPal

Pass

Was not vulnerable

Instagram

Pass

Vulnerability patched. Password change recommended

Tumblr

Pass

Vulnerability patched. Password change recommended

Espn.go.com

Pass

Vulnerability patched. Password change recommended

WordPress

Pass

Awaiting response

Imgur

Pass

Awaiting response

Huffington Post

Be on alert

Awaiting response

Reddit

Pass

Vulnerability patched. Password change recommended

MSN

Pass

Was not vulnerable

Netflix

Pass

Vulnerability patched. Password change recommended

Weather.com

Be on alert

Awaiting response

IMDb

Not available

Was not vulnerable

Yelp

Pass

Vulnerability patched. Password change recommended

Apple

Pass

Was not vulnerable

AOL

Pass

Awaiting response

Microsoft

Pass

Was not vulnerable

NYTimes

Pass

Awaiting response

Bank of America

Pass

Was not vulnerable

Ask

Not available

Was not vulnerable

Fox News

Pass

Was not vulnerable

Chase

Pass

Was not vulnerable

GoDaddy

Pass

Vulnerability patched. Password change recommended

About

Not available

Was not vulnerable

BuzzFeed

Pass

Awaiting response

Zillow

Pass

Was not vulnerable

Wells Fargo

Pass

Was not vulnerable

Etsy

Pass

Vulnerability patched. Password change recommended

XVideos

Be on alert

Awaiting response

Walmart

Pass

Was not vulnerable

CNET

Pass

Was not vulnerable

Pandora

Pass

Was not vulnerable

xHamster

Pass

Awaiting response

PornHub

Pass

Awaiting response

Comcast

Pass

Awaiting response

Stack Overflow

Pass

Vulnerability patched. Password change recommended

Salesforce

Pass

Was not vulnerable

Daily Mail

Be on alert

Awaiting response

Vimeo

Pass

Vulnerability patched. Password change recommended

Conduit

Pass

Awaiting response

Flickr

Pass

Vulnerability patched. Password change recommended

Zedo

Not available

Was not vulnerable

Forbes

Be on alert

Awaiting response

LiveJasmin

Be on alert

Awaiting response

USPS

Pass

Vulnerability patched. Password change recommended

Indeed

Pass

Awaiting response

Hulu

Pass

Was not vulnerable

Answers

Pass

Was not vulnerable

HootSuite

Pass

Was not vulnerable

Amazon Web Services

Pass

Awaiting response

Adobe

Pass

Awaiting response

Blogger

Pass

Vulnerability patched. Password change recommended

Dropbox

Pass

Vulnerability patched. Password change recommended

Reference.com

Not available

Was not vulnerable

AWeber

Pass

Was not vulnerable

UPS

Pass

Was not vulnerable

Intuit

Pass

Awaiting response

NBC News

Pass

Awaiting response

USA Today

Pass

Awaiting response

Outbrain

Pass

Vulnerability patched. Password change recommended

The Pirate Bay

Pass

Awaiting response

The Wall Street Journal

Pass

Awaiting response

Bleacher Report

Pass

Awaiting response

Constant Contact

Pass

Was not vulnerable

Wikia

Pass

Awaiting response

CBSSports

Pass

Was not vulnerable

Publishers Clearing House

Pass

Awaiting response

Washington Post

Not available

Vulnerability patched. Password change recommended

Target

Pass

Was not vulnerable

TripAdvisor

Pass

Was not vulnerable

FedEx

Pass

Was not vulnerable

Capital One

Pass

Was not vulnerable

wikiHow

Not available

Was not vulnerable

Googleusercontent.com

Pass

Vulnerability patched. Password change recommended

Groupon

Pass

Was not vulnerable

Best Buy

Pass

Awaiting response

Trulia

Not available

Was not vulnerable

Feedbin

Pass

Vulnerability patched. Password change recommended

Pinboard

Pass

Vulnerability patched. Password change recommended

GetPocket

Pass

Vulnerability patched. Password change recommended

IFTTT

Pass

Vulnerability patched. Password change recommended

PayScale

Pass

Was not vulnerable

 

 

 

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s