Heartbleed 101

JEK

Senior Insider
Put this in the main forum as everyone needs to understand what Heartbleed is and how to protect your data.

How to protect yourself in Heartbleed's aftershocks

Summary: The companies know what to do about Heartbleed now. Here's what you, as an individual, need to do now.
steven-j-vaughan-nichols-60x45.jpg

By Steven J. Vaughan-Nichols for Networking | April 10, 2014 -- 23:23 GMT (16:23 PDT)


Businesses should not only know about Heartbleed, they should have already implemented Heartbleed fixes by now. If your bank, favorite online merchant, or software provider hasn't yet, close your accounts and find new ones. That's my first bit of advice on how users should handle Heartbleed.
heartbleed-200x242.png
Heartbleed really is that bad. Your user-ids, your passwords, your credit-card numbers, everything you place online is potentially in play for hackers. You can not fool around with this.
So, as I said earlier, get ready to change all your passwords. Yes, every last damn one of them. Were your favorite sites vulnerable? You can check specific sites with the Heartbleed test,LastPass Heartbleed checker, or the Qualys SSL Labs test. The first two just check on Heartbleed while the last checks for other possible Secure-Socket Layer/Transport Layer Security (SSL/TLS) and awards sites a grade from A (the best) to F (failure).
ZDNet's sister site, CNet, also has a constantly updating list,Heartbleed bug: Check which sites have been patched, for the 100 most popular Web sites. I'm annoyed to say that some popular sites, as of early Thursday evening, April 10th, may still not be safe. These include sites you might expect to be behind the times — like some porn websites — but also such major household-name sites as CNN, the Huffington Post, and Weather.com.
Once you know your site has the bug fixed then you should change your password right? Wrong.

Ask the company if they really have patched their software AND installed new SSL certificates from their Certificate Authority (CA). Only once they've done both those things should you change your password. And let me remind you again, for pity's sake change it to a good password. This xkcd cartoon I cite in an earlier story on passwords actually gives great advice.
Next, if your favorite sites or services, such as Google,GitHub, or Microsoft support two-factor authentication, use it. Yes two-factor is usually a lot more trouble to set up than a simple password. So what? In an increasingly insecure world, you'll need it.
Done yet? Nope.
You should also clear out all your Web browsers' cache, cookies, and history. That's never a bad idea anyway. You don't want old memorized passwords walking into trouble at an untrustworthy site. To do this with the most popular browsers, follow these steps:
Chrome:

  • In the browser bar, enter: chrome://settings/clearBrowserData
  • Select the items you want to clear. For example, Clear browsing history, Clear download history, Empty the cache, Delete cookies and other site and plug-in data.
Firefox:

  • From the Tools or History menu, select Clear Recent History.
  • From the Time range to clear: On the drop-down menu, select the desired range; to clear your entire cache, select Everything.
  • Click the down arrow next to "Details" to choose which elements of the history to clear. Click Clear Now.
Internet Explorer 9 and higher:

  • Go to Tools (via the Gear Icon) > Safety > Delete browsing history....
  • Once there, choose to delete Preserve Favorites website data, temporary Internet files, and cookies.
I know this is a lot of trouble. Take the time to do it.
You're going to see all kinds of e-mails soon about magic solutions to all your Heartbleed problems. Yeah, right. They'll all be spam either bearing malware or pointing you to sites that contain malware. There's no quick fix for Heartbleed.
Finally, start checking your bank and credit-card statements very, very carefully. If you've been compromised, chances are all too good that you'll find out by finding bogus charges on your credit cards.
Good luck. We're all going to need it.


 
SiteQualysConfirmation from site
GooglePassVulnerability patched. Password change recommended
FacebookPassVulnerability patched. Password change recommended
YouTubePassVulnerability patched. Password change recommended
Yahoo!PassVulnerability patched. Password change recommended
AmazonPassWas not vulnerable
WikipediaPassVulnerability patched. Password change recommended
LinkedInPassWas not vulnerable
eBayPassWas not vulnerable
TwitterPassWas not vulnerable
CraigslistPassAwaiting response
BingPassVulnerability patched. Password change recommended
PinterestPassVulnerability patched. Password change recommended
BlogspotPassVulnerability patched. Password change recommended
CNNBe on alertAwaiting response
LivePassWas not vulnerable
PayPalPassWas not vulnerable
InstagramPassVulnerability patched. Password change recommended
TumblrPassVulnerability patched. Password change recommended
Espn.go.comPassVulnerability patched. Password change recommended
WordpressPassAwaiting response
ImgurPassAwaiting response
Huffington PostBe on alertAwaiting response
RedditPassVulnerability patched. Password change recommended
MSNPassWas not vulnerable
NetflixPassVulnerability patched. Password change recommended
Weather.comBe on alertAwaiting response
IMDbNot availableWas not vulnerable
YelpPassVulnerability patched. Password change recommended
ApplePassWas not vulnerable
AOLPassAwaiting response
MicrosoftPassWas not vulnerable
NYTimesPassAwaiting response
Bank of AmericaPassWas not vulnerable
AskNot availableWas not vulnerable
Fox NewsPassWas not vulnerable
ChasePassWas not vulnerable
GoDaddyPassVulnerability patched. Password change recommended
AboutNot availableWas not vulnerable
BuzzFeedPassAwaiting response
ZillowPassWas not vulnerable
Wells FargoPassWas not vulnerable
EtsyPassVulnerability patched. Password change recommended
XVideosBe on alertAwaiting response
WalmartPassWas not vulnerable
CNETPassWas not vulnerable
PandoraPassWas not vulnerable
xHamsterPassAwaiting response
PornHubPassAwaiting response
ComcastPassAwaiting response
Stack OverflowPassVulnerability patched. Password change recommended
SalesforcePassWas not vulnerable
Daily MailBe on alertAwaiting response
VimeoPassVulnerability patched. Password change recommended
ConduitPassAwaiting response
FlickrPassVulnerability patched. Password change recommended
ZedoNot availableWas not vulnerable
ForbesBe on alertAwaiting response
LiveJasminBe on alertAwaiting response
USPSPassVulnerability patched. Password change recommended
IndeedPassAwaiting response
HuluPassWas not vulnerable
AnswersPassWas not vulnerable
HootSuitePassWas not vulnerable
Amazon Web ServicesPassAwaiting response
AdobePassAwaiting response
BloggerPassVulnerability patched. Password change recommended
DropboxPassVulnerability patched. Password change recommended
Reference.comNot availableWas not vulnerable
AWeberPassWas not vulnerable
UPSPassWas not vulnerable
IntuitPassAwaiting response
NBC NewsPassAwaiting response
USA TodayPassAwaiting response
OutbrainPassVulnerability patched. Password change recommended
The Pirate BayPassAwaiting response
The Wall Street JournalPassAwaiting response
Bleacher ReportPassAwaiting response
Constant ContactPassWas not vulnerable
WikiaPassVulnerability patched. Password change recommended
CBSSportsPassWas not vulnerable
Publishers Clearing HousePassAwaiting response
Washington PostNot availableVulnerability patched. Password change recommended
TargetPassWas not vulnerable
Drudge ReportBe on alertAwaiting response
TripAdvisorPassWas not vulnerable
FedExPassWas not vulnerable
Capital OnePassWas not vulnerable
wikiHowNot availableWas not vulnerable
Googleusercontent.comPassVulnerability patched. Password change recommended
GrouponPassWas not vulnerable
Best BuyPassAwaiting response
AT&TPassAwaiting response
Home DepotPassAwaiting response
TruliaNot availableWas not vulnerable
TMZPassAwaiting response
FeedbinPassVulnerability patched. Password change recommended
PinboardPassVulnerability patched. Password change recommended
GetPocketPassVulnerability patched. Password change recommended
IFTTTPassVulnerability patched. Password change recommended
ManageWPPassWas not vulnerable
PayScalePassWas not vulnerable

This list is going to be live and constantly updated; please return to view the latest information as we get it.
CNET's Seth Rosenblatt contributed to this report











[/COLOR]
 
A lot of 'waiting for responses.' When you see more answers, would appreciate your posting those as well. Thanks for putting this on the Forum!
 
Top