Study: Only 39% of Web users changed passwords due to Heartbleed bug

It appears Heatbleed, the massive OpenSSL security flaw, never really mattered much to the masses.

According to a study by Pew Internet, 39 percent of Internet users surveyed “took steps to protect their online accounts” after learning about Heartbleed security risks. As for the majority 61 percent, they apparently didn’t take any steps “to protect their online accounts by doing such things as changing passwords or canceling accounts.”

For all the shouting from the tech and security industry, a large portion of Internet users remain entirely indifferent to the bug.

Later in its study, Pew claims “29 percent of Internet users believe their personal information was put at risk because of the Heartbleed bug,” while only 6 percent believe their personal data was stolen.

As with all studies, Pew’s research should be taken with a speck of sand. Studies such as these can successfully suggest trends, but the data within them shouldn’t be interpreted as hard fact.

It’s curious, however, to see that Heartbleed — a bug famous for striking mainstream fears — isn’t as widely cared about as techies may believe.

Internet security researchers use Heartbleed bug to target hackers

Anti-malware researchers have turned the tables on cyber criminals by using the Heartbleed bug to gain access to online forums where hackers congregate.

The bug is a flaw in a key piece of security technology used by more than 500,000 websites had been exposing online passwords and other sensitive data to potential theft for more than two years.

Among the websites affected by the bug were private, password-protected hacker forums, Steven K, a French anti-malware researcher, told the BBC. The researcher said he was able to gain access to the sites by using specially-written tools to target them.

"Not many people have the ability to monitor this forum, but Heartbleed exposed everything," Steven K added, referring to one such website.

Researchers can use the bug to grab conversations from chatrooms where hackers share data, but run the risk of facing criminal charges for malicious hacking, the BBC reports.

“This work just goes to show how serious Heartbleed is,” said Charlie Svensson, a computer security researcher at Sentor. “You can get the keys to the kingdom, all thanks to a nice little heartbeat query."

Meanwhile, a new poll released Wednesday by the Pew Research Center said most Americans have been trying to protect themselves from the bug, but a group nearly as large is unaware of the threat.

After word of the problem got out on April 7, affected websites began to close the Heartbleed loophole and security specialists recommended that Web surfers change their online passwords as a precaution.

That advice apparently resonated among those who read about in the extensive media coverage of the Heartbleed risks.

Passwords were changed or online accounts were closed by 39 percent of the Internet users in Pew's telephone survey of 1,501 adults taken in the U.S. from April 23-27.

But 36 percent of the Internet users participating in the survey hadn't heard about Heartbleed at all.

The almost equal division between people insulating themselves from Heartbleed and those unaware of the problem shows there is still a knowledge gap even as the Internet and mobile devices make it quicker and easier to find all kinds of information.

"There are some people who are pretty tuned in and are in an action frame of mind and then there others that don't know about the news that is breaking," said Lee Rainie, director of Pew Research's Internet Project.

Better educated and more affluent Internet users tended to pay the most attention to Heartbleed. Roughly three-fourths of the Internet users aware of Heartbleed had college educations and lived in households with annual incomes of at least $75,000, according to Pew.

Only 19 percent of the survey respondents said they had heard "a lot" about Heartbleed. By comparison, 46 percent said they had heard "a lot" about the escalating tensions between Russia and Ukraine.

Just 6 percent of the survey participants believed Heartbleed led to their online information being ripped off.

Just how big a threat is Heartbleed? Heartbleed initially posed a huge threat to internet security

Just how serious is this threat from the Heartbleed website security flaw? The only reason I ask is because there is so much conflicting advice about what I should do, regarding changing passwords and so on.

It could have been very serious indeed but the industry has moved quickly and virtually all of the major institutions and sites where it could have been a problem have been fixed. Even so, a lot of websites are still vulnerable. Visiting site’s home page to check its status is worth doing but there are other ways, but only if you are using the Firefox or Chrome browsers. Two plug-ins and an extension have been developed that check for the flaw, they are Foxbleed, Heartbleed-ext and Chromebleed. 

They indicate, using coloured, heart-shaped icons whether or not the site you are visiting has been patched. As a final precaution you can enter the web address in a Heartbleed Test website that also tells you if the site is safe. In the end, though, the best advice to stay safe on the web has not changed, and that is to use long, unguessable passwords, (i.e. no names or words), using a mixture of characters and punctuation marks. Use a different password for each site and change them on a regular basis.

NSA Admits to Keeping Some Heartbleed-like Bugs Secret

The NSA’s building is so big because it’s full of secrets even though the agency will never actually admit to even a portion of them.

In a rare move, however, the White House has chosen to disclose more about the way the NSA works and how it deals with bugs such as Heartbleed.

As you will probably remember, everyone guffawed when the NSA said it had no prior knowledge of Heartbleed a few weeks back, when the OpenSSL vulnerability was exposed. That’s because if there’s one thing that Edward Snowden’s leaks have taught us is that finding bugs of this size is one of the agency’s main jobs, especially given the widespread use of the affected OpenSSL versions.

Since Heartbleed had been around for two years, it was even harder to believe that the intelligence agency really had no idea about the issue. What made matters even worse was the idea that the spies did know about the bug, but chose not to share the information with the public.

“Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest. But that is not the same as arguing that we should completely forgo this tool as a way to conduct intelligence collection, and better protect our country in the long-run. Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area,” writes Michael Daniel, White House cybersecurity coordinator.

The decision to share more information about how the agency works came after Heartbleed was exposed, actually.

The agency said that it considered several things before deciding on whether to share the information it had on bugs and more specifically how the White House decided which vulnerabilities were withheld from the public.

Firstly, the agency analyzes how much the vulnerable system is used in the core Internet infrastructure, in other critical infrastructure systems, in the United States economy and in national security systems.

Then, they assess whether the vulnerability, if left unpatched brings significant risk and just how much harm could an adversary nation or criminal group do with the knowledge of the bug.
“How likely is it that we would know if someone else was exploiting it? How badly do we need the intelligence we think we can get from exploiting the vulnerability? Are there other ways we can get it?” Daniel writes.

Other questions relate to whether or not the agency can exploit the bug for a short period before disclosing it and whether anyone else is likely to spill the beans before them.

“Too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation. We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake,” Daniel wrote.

Basically, the White House and the NSA are once more playing “God” and deciding whether something should be known by the public or not even if their online safety is at risk. Even worse, the US government admits that it sometimes withholds information so it can exploit the bug on its own.

While the NSA has denied knowing about Heartbleed, it does seem likely that others have caught on the bug and exposed it while the intelligence agency was still exploiting it for information.

Microsoft grapples with IE security flaw - Scrambling Sunday to repair a security hole

Microsoft was scrambling Sunday to repair a security hole in its widely used Internet Explorer web browser, saying it had detected attempts to exploit the flaw.

The US software giant said that the coding problem affected versions six through 11 of its flagship browser, noting it was aware of “limited, targeted attacks” taking advantage of the newly discovered flaw.

Microsoft says that an attacker who successfully exploits the vulnerability could gain the same user rights as the official user.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft said on its security website Saturday.

“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Cybersecurity firm FireEye, which took credit for identifying the flaw, said hackers were exploiting the bug in a campaign nicknamed “Operation Clandestine Fox.”

Users still relying on Windows XP could be especially vulnerable because Microsoft stopped early this month supporting the older operating system with security patches and other software updates.

Earlier this month, the “Heartbleed” flaw in Internet security saw everyone from website operators and bank officials to casual Internet surfers and governments being told their data could be in danger.

Heartbleed allowed hackers to snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.

Heartbleed bleeding continued, firewalls, power plants, HP printers

The amount of infected machines was "extremely worrying", says IT security expert Nicholas Weaver

Three weeks after the serious Heartbleed vulnerability became public, the extent of "security disaster" is becoming clearer. Especially the "Internet of Things" is strongly affected by the bug - and it will probably be for decades yet.

Austria: Still 1,600 computers affected

After the public was informed about Heartbleed, initially on web server in the focus of security experts. Here is the update in Austria is reasonably satisfactory Previous: SBA Researchreported that currently have about 1,600 computers are affected by the Heartbleed vulnerability, ursrpünglich 7,014 systems were vulnerable.

Although the number of 1,600 computers is not small, but it means that the security hole was filled to three-quarters of the affected systems.

"Disturbing"

Much greater cause for concern IT security experts such as Nicholas Weaver currently the "Internet of Things". "The number of affected devices is really worrying," said Weaver, who has worked for the University of Michigan.

Nest, Apple , Siemens

So had about Nest, the acquired by Google Manufacturer of smart thermostats, announced that they were affected by the vulnerability. Even Apple's Airport and Time Capsule suffer from the bow , as well as industrial equipment from Siemens, which are used in power plants and water treatment plants.

Firewalls as a security issue

It was particularly scary that exactly those devices are affected, which were actually purchased as a protective measure, says software developer Dave Taht, who is involved in an open source program for router.

So could provide security vulnerabilities calculated firewalls thanks Heartbleed: affects example, systems of Fortinet orWatchGuard . Both companies wanted to, as Wired , did not announce how many users had already performed an update.It is estimated, however, tens of thousands of firewalls are still unprotected.

HP printer

Even Hewlett-Packard was forced to admit that its printers could potentially suffer Heartbleed: However, the company was unable to assess themselves, which models are endangered. However, if it were only to a small number, so HP. However, it is hardly to be assumed that only HP printers are affected. According to Wired knew "no one currently on the true Außmaß the problem" about it.

"Could take decades"

However, even Heartbleed could have even worse consequences: Many devices that use Open SSL, were not affected because they used either outdated OpenSSL versions or updates the heartbeat would shut down.

Exactly but again could be a problem, so researchers Weaver: Because without automated heartbeat updates, the device would have to be manually provided with updates - and until the gap was then eliminated on all devices, it could take decades. (Fsc derStandard.at, 28/04/2014)

For a future without Heartbleed - OpenSSL still vulnerable

Far from ending with the upgrade versions of OpenSSL still vulnerable, the debate on the bug known as Heartbleed continues to churn out new topics of discussion and controversy. Once again, everyone involved, from large corporations - are guilty of not having enough supported the project - to hackers on the hunt for new bugs "apocalyptic" style Heartbleed.  

A background that is surely destined to leave their mark is on efforts in the management and care of OpenSSL, an essential security component for the busiest part of the Internet by users but which has so far been taken care of by just two developers - only one of which involved full-time - and donations of just $ 2,000 s 'year.  

Heartbleed Fortunately, the case seems to have learned something from the big companies, and now with Steve Marquess and Stephen Henson (developers of the two mentioned above) should get a nice little 'fresh troops and OpenSSL should benefit from funding "multi- millionaires "managed by the Linux Foundation with contributions from giants such as Microsoft, Intel, Google, Facebook and Qualcomm. Mozilla, in his small, offers a reasonable monetary compensation ($ 10,000) for those who will be able to strengthen the code Firefox bug against potentially similar to Heartbleed in time for the release of 31 open-source browser. 

In the underground electronic discusses finally a new, allegedly identified vulnerability in OpenSSL as dangerous as the aforementioned Heartbleed. It is probably a scam, at least in this case.

The branding of a bug: how Heartbleed became a household name

In the world of marketing, Heartbleed was a bloody masterpiece.

While it's standard practice for cyber-security companies to assign newly discovered Internet attacks with cloak-and-dagger-sounding names like Night Dragon and Operation Clandestine Fox, that's typically not the case for programming errors, which inherently aren't as sexy and are often quickly fixed after they're announced.

But this bug was different. Cyber-security firm Codenomicon spotted the hole on April 3 as part of ongoing work looking for gaps in OpenSSL, software that encrypts the communications between people's browsers and websites they visit, co-founder Mikko Varpiola said in an interview. The Finnish company has discovered other bugs in the software, but this one was exceptionally serious because it could allow hackers to silently steal data from target servers.

When Codenomicon CEO David Chartier was first alerted to what his researchers found, it was immediately clear this was a big deal, he said in an interview. The company notified the appropriate authorities and quickly got to work on a marketing plan.

It was the researchers' idea to name the bug and create a website dedicated to explaining it, Chartier said, "to make it very easy to understand."

Software bugs are often announced to the world with the low-key posture of something that doesn't want to be found. They're assigned eye-glazing, industry standard codes such as CVE-2012-2333 and CVE-2008-0891, which mean something to technology managers but are gibberish to everyone else.

That wouldn't do on this occasion. So an engineer came up with "Heartbleed," which plays off the "heartbeat" function in OpenSSL that can be manipulated to leak, or bleed, data. (The bug's official name is CVE-2014-0160.) Then a graphic designer came up with the logo.

When the OpenSSL Project announced the bug and the availability of a fix for it April 7, news outlets around the world picked up the story, thanks in part to its emotionally charged name and that evocative bleeding-heart logo. That set off a race among Internet companies to apply a fix and led to revelations that the National Security Agency has exploited it for years for surveillance purposes.

Never mind that a Google engineer actually found the bug first. The online search giant had taken the opposite approach: It did zero publicity around the find.

Also worth noting is that Codenomicon made a flawed assessment about the size of the problem. The company initially said that as many as two-thirds of all websites - hundreds of millions of them - were potentially vulnerable to Heartbleed, based on the market share of open-source software that uses OpenSSL.

But Netcraft, the U.K. company whose data the estimate was based on, said the actual figure was closer to 500,000. The difference is that not all sites that could have used OpenSSL actually did use the software, according to Netcraft. It's only used for secure communications, and not all sites need that.

Chartier said the oversight was unavoidable. The company didn't want to tip off any entities outside official channels about what it had found, so it based its estimates only off publicly available information.

Still, how Heartbleed was transformed from a security hole in an obscure part of open-source encryption software into a brand recognized around the world is a "fascinating case study in the success of viral marketing," said Andrea Matwyshyn, assistant professor at the Wharton School of the University of Pennsylvania. It's a rare instance of a deeply technical cyber-security issue being presented in a polished way for consumers and the media, said Matwyshyn, who is also a senior policy adviser to the Federal Trade Commission on privacy and security.

And the outcome was a win-win. Most websites fixed their systems quickly, and there's been a spike in interest for Codenomicon's products, Chartier said.

"It's always good to get your name associated with something like this," he said. "We have lots of inquiries."

What Heartbleed can teach businesses about information security

Reflection on crucial lessons that every business must recover from the ashes of the Heartbleed fallout

There can be very few comparisons between historically global IT security incidents and vulnerabilities that come anywhere near to the shadowy, anxiety-provoking spotlight that is now shining firmly on the arena of information security. The impact of the OpenSSL bug known as Heartbleed – made became public on the 7th April 2014 and officially documented as bug CVE-2014-0160 – has reached far and wide since it went public on 7th April 2014. One of the most fundamental backbones of security on the Internet has been dealt a severe confidence blow.

Trusting the Internet

Due to this crucial transport layer vulnerability that causes memory content to leak when exploited, an insurmountable amount of private keys have been exposed. While IT security teams worldwide scramble to analyse their systems and patch this bug by upgrading to OpenSSL 1.0.1g or higher, the true impact of the potential risks from retrospective exploitation that Heartbleed has presented may never fully be realised.

Confirmation of documented exploitation of the Heartbleed bug has already been made public, and even though only 64 kilobytes of data can be gained at a time, there is a very real risk that secure data can – and indeed has in many cases – been compromised.

However there are a number of crucial lessons which must be learned from Heartbleed, and these are not only relevant to the security professionals. Failing to learn these lessons can have grave implications for the image and reputation of the company as a whole.

Layered Encryption Mechanisms

By the reliance on OpenSSL as the sole encryption method in how IT departments consider their security topology, a critical lesson has been learned that must ensure that the benefits of multi-layered encryption are fully considered in all areas. This include on digital media devices such as in hard disk RAID environments.

There will always be certain arenas where this is not possible, namely with e-commerce and also the fact that SSL certificates must be revoked and re-issued, even after patching. Such actions are taking place by vendors keen to identify if they were at risk of exploitation by Heatbleed, even if for only a limited period of time. 

But proactive auditing of security mechanisms used at each part of the private and public facing network will allow due consideration to be given to using multiple layers. While it is an accepted principal that the notion of being ‘completely secure’ is a somewhat utopian goal, treating information security like a constantly moving spotlight must be a pre-requisite to achieving confidence.

Auditing and Destruction

One of the most concerning facts revealed through the Heartbleed vulnerability is that it is impossible to detect if a particular service has been attached or exploited. The lack of logs and signs of this intrusion means there is no way of knowing if confidential data has indeed been leaked. 

Analysis of the reliance on largely trusted security mechanisms that provide such potential risk to personal data if exposed must be considered, including identification of whether certain data should really only be protected by one layer of security in the first place. While in the case of Heartbleed there is no way of knowing first-hand whether critical data was leaked, responsibility must be in place to ensure proper auditing of personal data.

When it comes to the retiring of legacy digital media devices, proper destruction of devices such as hard drives can only be achieved through following Shred-it’s information security best practices. But in learning the lessons of the Heartbleed fallout, the data destruction should be an authenticated and provable event since as full disclosure when this possible increases confidence levels.

The collective concern of businesses worldwide about never knowing whether their client’s data leaked should foster determination of hardening areas that can be hardened with multiple layers of encryption mechanisms, wherever possible.

While many would argue that the world has yet to reach the epicentre of the Heatbleed fiasco, the American philosopher John Dewey’s words ring with particular resonance: “We do not learn from experience, we learn from reflecting on experience.“

Corero Network Security Calls on Internet Service Providers to Share the Responsibility in Stopping Known Malicious Traffic from Reaching Customers

Corero Network Security (LSE: CNS), a leading provider of First Line of Defense(R) security solutions, has found that the inability of Internet Service Providers (ISPs) to offer secure Internet services is contributing to continued exploits of OpenSSL and Network Time Protocol (NTP) for cyber attacks. While organizations continue to spend millions of dollars on remediation and defenses against these threats, their efforts lack any significant assistance from their ISPs. Security minded ISPs should share the responsibility for protecting against Distributed Denial of Service (DDoS) attacks and cyber threats by mitigating obvious attack traffic before it reaches their corporate customers' networks.

One of the greatest security risks companies face is connecting their essential business infrastructures and applications to raw, unsecured Internet feeds. Even with traditional technologies and solutions in place, companies are still at risk from malicious traffic delivered by their ISPs. Technology exists to remove many known threats while they are still in transit, unfortunately, most ISPs have business models based on the volume of bandwidth they deliver rather than its quality or security. As a result, enterprises are left with no choice but to fend for themselves. In fact, most ISPs are still delivering Heartbleed-related requests and NTP amplification attacks to corporate networks, undermining their customers' ongoing efforts to remediate and defend against these very same threats.

The recent Heartbleed (OpenSSL) cyber threat and Network Time Protocol (NTP) DDoS attacks are just two examples where pervasive Internet technologies were hijacked for nefarious goals. "These attacks are most certainly just the tip of the iceberg when it comes to the ever-present threat of damaging Internet exploits. Ubiquitous-access and Net-neutrality do not constitute a justification for not discriminating between good and bad traffic," said Ashley Stephenson, CEO, Corero Network Security.

Since the discovery of the Heartbleed vulnerability, many corporations have been on high alert, frantically testing and patching every potentially vulnerable OpenSSL system within their diverse online enterprises. In the process, they have spent millions of dollars on remediation and still do not know the true cost of responding to this exploit or if their systems are now secured. Meanwhile ISPs could have inoculated their customers against Heartbleed by inspecting for and blocking Heartbleed request and response traffic in the very Internet feeds they are paid to deliver.

"It is time for a cyber revolution. Instead of taking an 'every man for himself' approach to battling cyber attacks, Internet Service Providers need to step forward and deliver protected Internet services that remove the known malicious traffic before it impacts their enterprise customers, " said Stephenson. "Many organizations understand the value that their ISPs could provide -- beyond simply delivering bandwidth -- and are willing to pay a fair price for the benefit of having known bad traffic removed from their business critical Internet feeds."

Corero recognizes the need to provide businesses with secured Internet services. The company recently introduced its SmartWall Threat Defense System (TDS) that enables service providers of all types to deliver always on threat protection and visibility as a security service to their customers. This is a critical next step for service providers to regain control of their networks from the cyber criminals who seek to exploit them. Enterprise customers will benefit from having malicious traffic intercepted before it hits their important online infrastructure, leaving them free to focus on delivering innovative and profitable new services to their customers.

Corero also confirmed that its First Line of Defense solutions are not impacted by the Heartbleed vulnerability. A protection pack PP-2014-04-09-03 addressing Heartbleed was first released on April 9, 2014. The company has also provided additional protection and detection capabilities for suspicious Heartbleed request and response traffic in software release versions V6.80.049 and V6.61.031. The specific rules allocated to Heartbleed detection are tln-106850 and tln-106852 for Corero DDS and IPS.

About Corero Network Security

Corero Network Security, an organization's First Line of Defense(R) against DDoS attacks and cyber threats, is a pioneer in global network security. Corero products and services provide Online Enterprises, Service Providers, Hosting Providers and Managed Security Service Providers with an additional layer of security capable of inspecting Internet traffic and enforcing real-time access and monitoring policies designed to match the needs of the protected business. Corero technology enhances any defense-in-depth security architecture with a scalable, flexible and responsive defense against DDoS attacks and cyber threats before they reach the targeted IT infrastructure allowing online services to perform as intended.

Easy Way to Identify 'Hacked E-Mail Accounts' Due to Heartbleed Bug With Just One 'Click'

When Heartbleed bug was uncovered affecting millions of users across the world, Internet users were reminded of the reality of how vulnerable and unsecured the Internet ecosystem is. Heartbleed's OpenSSL security flaw affected a whopping 66% of the entire Internet during the time of its discovery. In addition, the bug also compromised the usernames and passwords on innumerable popular websites and services. The recent news is that, the Heartbleed bug also affected Android Apps in Google Play Store.

Big corporates were the first ones to address the vulnerability by applying required security patches and requested their users to change their passwords to their sites. It is worth noting that, Heartbleed bug was found two years after it started spreading across the Internet space. In reality, the attackers might have exploited this flaw long back and there is a good possibility that login details of various sites and services were compromised earlier on.

How to Find-Out if an Account Was Hacked?

According to reports, not all the websites and services have applied security patch. This means, we are still vulnerable to such attacks online. In order to check if any of your online accounts have been hacked because of Heartbleed bug, there are free websites that would do the job in a matter of clicks. The process is quite simple and easy to test.

Adam Tanner from Forbes has come up with a list of three effective websites that will let the users know if their accounts have been hacked.

1. The Web site haveibeenpwned.com allows users to enter their email address to see if hackers have compromised the mail id or the associated accounts.  

2. One other Web site PwnedList.com can be used to check if the email and the associated accounts have been hacked. In addition to telling if the account is hacked, this Web site also provides the date of the attack.

3. Another Web site Shouldichangemypassword.com works in the similar way like the websites listed above.

It is worth noting that, all the websites mentioned above are free and they also have an option that would let the Web site to notify the users directly if the same email address is compromised again in future.

According to Steve Thomas, a co-founder of PwnedList, "The site learns of about a dozen different data leaks each day, where 100,000 to 500,000 accounts/services are compromised. "

If an Account was Hacked, What is the Next Step?

As a rule of thumb, change the account password immediately. It is worth noting that, having a password management tool always works in such situations.

Interested users can try 1Password password management tool. This password manager keeps track of users' passwords for various accounts & services; it also features auto-fill, password generator, credit card support, and secure notes, among others.

LastPass for Android is another password management tool which is very sophisticated and useful.

Heartbleed's silver lining - Heartbleed was a bug in OpenSSL

When’s the last time you thought about using different passwords for different websites? Perhaps after a bug called Heartbleed started crawling around them.

Earlier this month, reports about a major vulnerability in the Internet known as Heartbleed spread like wildfire. It was complicated for people to understand: a change long ago in OpenSSL, an open-source cryptographic library, that left encrypted data vulnerable to theft. But that didn’t stop people from taking action in response, or at least giving more thought to online security.

Internet users who previously may not have given much consideration to their online passwords are now changing them, and even enabling two-factor authentication, since Heartbleed was exposed.

Heartbleed was a bug in OpenSSL, introduced in a new version of the software at the end of 2011, that under some circumstances allowed Internet attackers to steal data from the memory of a server in 64KB chunks. That data could include passwords or encryption keys, which could then be used to break into users’ accounts or even make malicious sites mimic real ones and collect usernames and passwords. Two-factor authentication, which forces users to give two separate pieces of information for access, can help to protect users against such attacks.

The Heartbleed scare seems to have made Facebook users, at least, smarter about security. Following the Heartbleed disclosures, Facebook saw a spike in password resets and enrollment in Login Approvals, Facebook’s version of two-factor authentication, a spokesman told the IDG News Service.

It appears that many people are taking the disclosure seriously and taking steps to protect themselves, he said.

A range of other Internet companies large and small declined to say whether they had seen more password changes or use of two-factor authentication. A lot of the companies, including Google and Yahoo, say they have since patched their services, though it’s not always clear how vulnerable each company’s services were in the first place.

That uncertainty may have increased the use of password services software. One password management app, 1Password, skyrocketed in popularity from the low-200s to the top 10 in Apple’s App Store in the U.S. shortly after the Heartbleed disclosures, according to its developer, AgileBits.

But people’s heightened awareness around security may only last for so long. The 1Password app is now ranked 67th in Apple’s store.

“Heartbleed has gotten into the forefront of people’s minds,” said Mike Lloyd, chief technology officer at RedSeal Networks, a security analytics service provider, “at least for a while.”

Security experts and services firms wouldn’t estimate how many users changed their passwords or started using two-factor authentication on the major online services. But they said they have noticed a new enlightenment in people—even non-techies—around security.

“Heartbleed was not just a narrow issue. It’s been talked about by the masses,” said Zulfikar Ramzan, chief technology officer at Elastica, a cloud security company. “My doctor brought it up with me,” he said.

Other experts agreed. More people who may not be very tech-savvy are changing their passwords and thinking about being smarter with security online, they said. “This has been a wake-up call for the general public,” RedSeal’s Lloyd said. For one thing, Heartbleed has made more people think about the strength of their passwords, he said.

People may also be taking a more holistic view of their online accounts. Internet users are more aware now that it’s not smart to use the same password for a social media account on Facebook and a bank account at Wells Fargo, said RedSeal’s Lloyd.

Using different passwords for different sites and making those passwords stronger isn’t revolutionary, but it’s progress.

19-Year-Old Student Arrested for Exploiting Heartbleed Bug to Steal Data

Heartbleed vulnerability which was headlines from last two weeks have once again made a new headline. A 19 years old, Stephen Arthuro Solis-Reyes an computer science student of Western University have been arrested by the Royal Canadian Mounted Police (RCMP). He is been charged with the unauthorized access of the computer and criminal mischief in relation to the data breach of taxpayer’s private information from the Canada Revenue Agency (CRA) website.

Assistant Commissioner Gilles Michaud said in a statement-

    “The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,”

After the public disclosure of the  Hearbleed, Stephen have exploited the vulnerability present on the Canada Revenue Agency (CRA) website and extract the private and sensitive information, including the social insurance numbers from the company’s system, before the computers were patched.

“Investigators from National Division, along with our counterparts in ‘Ontario’ Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners,” Assistant Commissioner  added.

 Heartbleed is one of the critical and biggest vulnerability in the recent history, that was found in the OpenSSL's implementation of the TLS/DTLS heartbeat extension. This vulnerability allows the hackers  to steal major credentials data from the affected server.

Exploiting the Heartbleed bug itself rarely leaves any traces, unless the attacker is not sending millions of heartbeats continuously from his own IP addresses. "The fact that they were able to trace it back to someone implies that it is not the work of organized crime or a professional hacker. It would be someone of very low skill." said Mark Nunnikhoven, Trend Micro.

Stephen Arthuro was arrested at his residence without incident on April 15 and is scheduled to appear in court in Ottawa on July 17, 2014, RCMP reported. The police also seized computer equipment from his residence, while the investigation is ongoing.

‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included Yahoo.com, and — ironically — the Web site of openssl.org. This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].

It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.

Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert).

Read more: http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/