Heartbleed Bug: 'Don't Panic' Warn Security Researchers - But Others Say Change ALL Your Passwords | HuffPost

Heartbleed: Don't Panic

Huffington Post UK

|

Security experts have urged internet users not to panic and instantly change their passwords in wake of the Heartbleed bug security flaw, despite suggestions to do so from prominent sites like Tumblr.

The catastrophic flaw in Open SSL, the tech used to protect everything from email to online banking, has theoretically made it possible for hackers to unlock years' of complex, previously encrypted data.

The fear is that by everything from passwords to credit card details could be discovered as a result of the flaw.

But Hugh Boyes, cyber security lead at the UK-based Institution of Engineering and Technology said: "Change your passwords - but only after the affected website operators and internet service providers have implemented the patch to fix the bug.

"Changing your password before the bug is fixed could compromise your new password."

The popular blogging website Tumblr, which is owned by Yahoo!, had previously urged its users to change all their passwords, especially those protecting sensitive data like email and bank accounts, immediately.

Independent security expert Bruce Schneier has also called for calm, but emphasised the seriousness of the web security breach.

9 Gadgets To Help You Avoid Surveillance

Fingerprint Gel(01 of09)

The Japanese government counter-terrorism practice of fingerprinting foreigners who enter the country may have inspired Doctor Tsutomu Matsumoto to invent "fingerprinting gels", a way of faking fingerprints for scanners.Learn how to make your own here. (credit:AP)

White Noise Generator(02 of09)

Worried someone around you is secretly recording everything you do? No fear! There's a relatively low-tech way to defeat such snoops, via white-noise-producing audio jammers. These tiny devices use good ol' white noise to blur the sound picked up by hidden microphones and other surreptitious recording devices. (credit:Flickr: Anonymous9000)

Phonekerchief(03 of09)

MIT's Technology Review calls it the newest, hottest Thanksgiving accessory -- but you can use phone-size "Faraday cages" like this (sold by uncommongoods) to block your cellphone's call signal, WiFi and GPS. Handy now that federal courts are ruling that cops can track suspects via cellphone sans warrant, and Apple can remotely disable your phone camera with a click. As security researcher Jacob Appelbaum said in an interview with N+1 back in April, "Cell phones are tracking devices that make phone calls." So shouldn't you be prepared for when you don't want to be tracked? (credit:uncommongoods)

LED-Lined Hat(04 of09)

Hidden cameras got you down? Blind them all with a simple baseball cap lined with infrared LEDs. Amie, a hacker on WonderHowTo, shows the world how to make one, while this German art exhibition lays out how these ingenious devices work. (credit:AP)

Bug Detector(05 of09)

These receivers reveal the telltale electronic crackle of hidden mics and cameras. Strangely enough, they were around long before "surveillance culture" became a common phrase. Today they're sold in all sorts of shops for surveillance paranoids. (credit:Gadget Playground)

Camera Map(06 of09)

Sometimes hiding your face isn't enough; sometimes you don't want to be seen at all. For those days, there's camera maps. The NYC Surveillance Camera Project is currently working to document the location of and working status of every security camera in New York City. This project has been replicated by others in Boston, Chicago and Bloomington, Indiana. Notbored.org has even published a guide to making your own surveillance camera maps (here). (credit:AP)

Dazzle Camouflage(07 of09)

Credit to artist Adam Harvey for this one. Inspired by the "dazzle camouflage" used on submarines and warships during World War I, he designed a series of face paint principles meant to fool the facial recognition schemas of security cameras. Check out The Perilous Glamour of Life Under Surveillance for some tips on designing your own camera-fooling face paint. (credit:Adam Harvey)

Throwaway Cellphone(08 of09)

Walmart may be the premier symbol of corporate America, but its disposable cellphone selection can help you start a thoroughly maverick lifestyle. $10 TracFones work on most major networks, including AT&T, T-Mobile, Sprint and Verizon, and come with minutes prepaid so you can dispose of the devices when you're done. (credit:AP)

RFID-Blocking Wallet(09 of09)

Radio-Frequency Identification (RFID) chips are now regularly implanted in passports, ID cards, credit cards and travel papers. These tiny chips make machine-reading your documents easier -- but could also let anyone with the right type of scanner scrape your information and track your whereabouts. Luckily, gadget geeks have come to the rescue again, this time with RFID-blocking wallets. Working on the same principle as the "phonekerchief", these wallets create a Faraday cage around your items, keeping their data secure until you take them out to be scanned where they're supposed to be scanned. Destroying the chip is simpler: just nuke it in the microwave for five seconds. Of course, whatever you're microwaving might burst into flames first... (credit:AP)

"The bug has been patched. After you patch your systems, you have to get a new public or private key pair, update your SSL certificate and then change every password that could potentially be affected. 'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11. Half a million sites are vulnerable, including my own."

Users can test their own vulnerability to the Heartbleed bug by visiting a site created by developer Filippo Valsorda, where you can enter web addresses and find out if the bug has been fixed. Once it is confirmed the site has been patched, it's safe to change your password.

"Regularly change your passwords. Depending on how sensitive the application/website is, passwords typically ought to be changed monthly or quarterly. Don't reuse the same passwords on different websites. Try to use a separate password for each website," said Boyes.

The Heartbleed bug was discovered on Monday by a team of security experts, including one from Google, having gone undetected for more than two years.

The bug bypasses the encryption that normally protects data as it is sent between computers and servers, leaving personal and sensitive data vulnerable. It is commonly recognised as the closed padlock that appears in the corner of the web browser to show your connection is secure.

Suggest a correction

|

What's Hot

I'm A Spine Doctor. Here's 1 Thing I'd Never, Ever Do If I Had Back Pain.

Rishi Sunak Has Admitted Labour Are On Course To Win The General Election

Exclusive: Two More Tory MPs Could Defect To Labour Before The Election

'Taking Them For Fools': BBC Presenter Nails The Big Flaws In Sunak's 'Coalition Of Chaos' Claim