Heartbleed bug may expose your private data

What you need to know about the serious ‘bug’ affecting (not so) ‘secure’ servers:

A “serious vulnerability” has been found in the software that often encrypts your user name, password and banking information when you log into “secure” websites, as indicated by the little lock icon in your browser.

The “Heartbleed bug” has the potential to expose huge amounts of private data, including user names, passwords, credit card numbers and emails, since it was found in a popular version of OpenSSL software code. The code is used by over two-thirds of active websites on the internet to provide secure and private communications, reported a website set up by security researchers to provide information about the bug.

The software code is also used by many email and chat servers and virtual private networks.

The bug allows “anyone on the internet” to read the memory of systems protected by the bug-afflicted code, compromising the secret keys used to encrypt the data, the researchers reported.

“This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Tests by the security researchers who discovered the bug showed that eavesdropping via the bug is undetectable.

“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication,” they wrote.

The bug was discovered independently by security engineers at the Finnish internet security testing firm Codenomicon and Neel Mehta of Google Security. It is found in a version of the code that has been used by internet services for more than two years.

The researchers say they don’t know if any cybercriminals have discovered and exploited the bug.

Patched version available

A patched version of the software code was released Monday when the bug was disclosed, but it still needs to be incorporated into the actual operating systems and software that use it. Then it must be installed by the owners of the affected internet services. All that may take some time.

Meanwhile, as a user, what can you do to ensure the web services you’re using are safe? Italian security researcher Filippo Valsorda has created a tool that lets you check whether a website has the Heartbleed vulnerability.

Valsorda noted that the site sometimes generates a false negative, probably because it is overloaded, but testing a vulnerable site over and over will eventually give a positive result. “The red result takes precedence over all the others and is certain,” he wrote.

Yahoo patching its services

As of Tuesday morning, the tool suggested that Google, Microsoft, Twitter, Facebook, Dropbox, and Amazon remain safe, but Yahoo.com is vulnerable.

“Please take immediate action,” the site says, directing users to the Heartbleed FAQ.

By 3 p.m. ET, Yahoo said it had successfully patched the bug on its homepage, search, mail, finance, sports, food, tech, Flickr photo and Tumblr blogging services.

“We are working to implement the fix across the rest of our sites right now,” a Yahoo spokesperson wrote in an email.

The official name of the Heartbleed bug is CVE-2014-0160, and it affects OpenSSL versions 1.0.1 to 1.0.1f, but not earlier or later versions. It was nicknamed “Heartbleed” because it was found in a part of the code called the “heartbeat extension.”

Source: http://www.cbc.ca/news/technology/heartbleed-bug-may-expose-your-private-data-1.2602610

Kathleen Finlay ND

“if only people knew the power they have to heal. If only people knew there are infinite ways of healing.”

Kathleen Finlay has retired from her practice.

Why own your own Domain and hosting?

Have you ever been unhappy with your current web developer and decided to hire a new one, when to your dismay you find out you can’t have access to your website?  That it is stored on that developers server along with their other websites and you can’t get access?

This is the one reason why you should always own your own domain name and hosting.  You are in control and will always have access to your website, email, domain etc.

There will never be a reason for the hosting and domain to disappear (web developer retires), or for the rates to suddenly skyrocket!  You will always be in control!

So when deciding where to purchase your domain make sure you find a reputable company, one that offers 24/7 phone service and one that guarantees over 95% up time on the server.

A good choice? Wanna Web Design Hosting…… click here to find out more on pricing and domains from Wanna Web Design…..

Choosing Colour Schemes

Choosing a colour scheme for your project can be a daunting task.  Take advantage of online colour schemes such as the one at Color Scheme Designer. Enter your hexadecimal value and you can choose mono, complimentary, triad etc.