Heartbleed bug: What you need to know


What is Heartbleed bug?

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords.

heartbleed

The issue is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160.

The damage caused by the “Heartbleed” bug is currently unknown. The security hole exists on a vast number of the internet’s web servers and went undetected for more than two years. While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.

There isn’t much that people can do to protect themselves until the affected websites implement a fix.

Why is it a big deal?

Heartbleed affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google researcher who was working separately.

It’s unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.

How does it work?

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

Which sites are affected?

There are half a million believed to be vulnerable so too many to list but there is a glut of new sites offering users the chance to check whether the online haunts they use regularly are affected.

The LastPass website  has compiled a list as has new websiteMashable . Meanwhile security firm Kaspersky directs people to theHeartbleed test.

While Facebook and Google say that they have patched their services, according to the Kaspersky blog,  there is a long list of sites that are still vulnerable, including Flickr, OkCupid and Github.

One of the biggest tech firms remaining on the vulnerable list was Yahoo but, as of last night, it too seemed to have remedied the problem saying it “had made the appropriate corrections across our entire platform”.

Many more sites will spend the coming days scrambling to do the same.

Bruce Schneier called on internet companies to issue new certificates and keys for encrypting internet traffic. Doing so would render stolen keys useless, he said.

Worst case scenario

The bad news, according to a blog from security firm Kaspersky  is that “exploiting Heartbleed leaves no traces so there is no definitive way to tell if the server was hacked and what kind of data was stolen”.

Security experts say that they are starting to see evidence that hacker groups are conducting automated scans of the internet in search of web servers using OpenSSL.

And Kaspersky said that it had uncovered evidence that groups believed to be involved in state-sponsored cyber-espionage were running such scans shortly after news of the bug broke.

Every Facebook Account Have 3 Passwords


Most of us know only about the password with which we log in our Facebook account, but every Facebook account has 3 password including your original password because the Facebook Passwords are not completely case sensitive. Besides this one password with which we log in, there exist two other passwords as well that are hardly known to anyone. So practically we have 3 passwords for our facebook account. Let us see apart from the main password, what are the other two passwords that do exist but are hardly in knowledge of anyone. These two passwords are :

  1. Your actual Facebook password with opposite cases.
  2. Your actual Facebook password with first letter capitalized, this is only available for mobile devices, though.

For instance, if your Facebook password is ‘aBccD’ , then even if you reverse the case and type your password as ‘AbCCd’ , you will be able to log in to your account. Thus, this reverse case will serve as your alternative password. This means even if all the letters of your password are in lower case, you can log in to your Facebook account even if your CAPS is on and you type your entire password in capital letters.

Similarly, if you operate your Facebook account through mobile , then whatever your password may be, but by mistake you capitalize the first letter of your password, still you will be able to log into your account (even though the entire password comprises of lower case).

This is not a bug in Facebook, they intentionally designed in this way. This is not going to affect the security of your account, since the password remains the same,  what has changed is just the capitalization, so it will take the same number of brute force attacks to crack it.

So we are now aware of the fact that there is not merely a single password with which you can log into your Facebook account, besides this, there are two other alternative passwords as well. So like it and share this article with everyone and let everyone know about it.