How To: Drop Everything! Here's How to Secure Your Data After Heartbleed: The Worst Web Security Flaw Ever

How To: Drop Everything! Here's How to Secure Your Data After Heartbleed: The Worst Web Security Flaw Ever
This time it's serious. Really.The largest web security vulnerability of all time went public on Monday, April 7th, 2014, resulting in widespread panic throughout the Internet as system administrators scrambled to secure their websites from the OpenSSL bug known as Heartbleed.This bug is so bad, it not only breaks encryption, but causes affected servers to spit out all kinds of personal information, from user passwords, to credit card numbers and e-mail addresses, and even the private keys that make HTTPS encryption work in the first place.Even worse, Heartbleed leaks all of this information without leaving any trace whatsoever. If you used the Internet at all, especially during the past week, chances are this bug has affected you in one way or another.
What Exactly Is OpenSSL Anyway?OpenSSL is an open-source SSL (secure socket layer) encryption library used by hundreds of thousands of secure websites. Everything from banks and email, to Amazon and Google rely on it to keep your connections encrypted.You probably know it by the small lock symbol in your address bar, or the "https" (compared to just "http") you see at the beginning of a website's URL. It is used by almost two-thirds of the internet to secure the transmission of personal information from web applications, emails, instant messaging, online shopping, and even some VPNs.The Heartbleed bug gives cyber criminals, hackers, and since Monday, curious bystanders a wide-open door to much of the private information we all thought was secured by SSL.
So, How the Heck Does All of This Work?When your computer is setting up a secure connection with a website, some applications send a signal (or a "heartbeat") to the site's server through SSL. The heartbeat works by sending information to the server, which the server then sends right back in order to show that the connection is secure and working properly.Applications can send a heartbeat using whatever arbitrary message they want, of whatever length they want (up to 64 kilobytes), and then check to make sure the response from the server is equal to what they sent.For example, if the heartbeat consisted of the word BASED, which is five characters long, the application would tell the server "here's a five-character long heartbeat. It's value is BASED." The server would then receive the heartbeat request, and return the word BASED as a five-character long response.

So What's the Problem?Due to the flaw in OpenSSL's implementation of this heartbeat, a giant leak was opened up. In short, the server wouldn't verify that the message sent was the length the application said it was, resulting in the server responding to malicious applications with an arbitrary amount of data that was left over in server memory. That memory could (and often does) contain sensitive information.So, let's say the heartbeat being sent from your computer consists of the word BASED again, but this time the application tells the server that the information being sent is 64,000 characters long. Obviously this is not true, as the word BASED only contains five characters.Once the server receives this information, instead of checking to make sure the message sent matches the stated length, it simply sends back the word BASED along with a total of 64,000 characters of whatever happens to be in memory after that point, in order to satisfy the request for a 64K heartbeat. As for the supplementary information contained in those 64,000 characters? Well, it can include private information, such as usernames and passwords for email, banking, and social media accounts. Worse yet, the private keys that keep SSL safe in the first place.All the hacker needs to do is create a script, which could then do all the dirty work and grab information. In fact, many such scripts are now floating around the internet and are so simple to use, that your computer-savvy little brother could be using it. Worst of all, you wouldn't even know they did it, as this exploit leaves no traces behind.XKCD's latest posts sum it up quite well. Image via xkcd.com xkcd on Heartbleed Image via xkcd.com xlcd Explains Heartbleed
Which Sites Were Affected?While the majority of websites across the internet that offer encryption and run on Linux were susceptible to this flaw, some were late to the party to fix the issue, which has since been remedied with an update to OpenSSL.Out of all the victims, Yahoo got hit harder than most other sites because they were so late to patch the Yahoo Mail servers, exposing many of their user's passwords for more than 24 hours.While some major sites and services like Google, Akamai, CloudFlare, and Facebook were warned ahead of the public disclosure, most have been scrambling to patch their servers as quickly as they can.Other popular sites that were affected by the Heartbleed bug included Instagram, Pinterest, Tumblr, Intuit, Dropbox, Minecraft, Imgur, Flickr, RedTube, OkCupid, and XDA, but all have been patched now. However, this does not mean that all sites on the web have been fixed, or that your data wasn't compromised before they were.This bug was introduced into the OpenSSL source code over 2 years ago. Because exploiting it can be done without leaving a trace, it's safest to assume that all our passwords have been compromised.The programmer who introduced this bug has denied conspiracies that this flaw was intentional, but even so, it's very possible that the NSA's cryptographers (as well as those of other governments) had silently discovered this bug earlier on and have been using it to intercept sensitive communications.
How to Protect YourselfIf you've used your computer since Monday to log in to banking sites or check your email, there's a very high chance that your passwords have been stolen, even though most banks state they weren't susceptible to this bug. If you've logged into any secured site in the past two years, it's safest to assume the same. Please enable JavaScript to watch this video.

Step 1: Don't Visit Websites That Are STILL VulnerableYes, there are still sites out there that are vulnerable, either because they don't know about the bug yet, or haven't been able to patch it just yet. To check if a website is currently susceptible to the Heartbleed security flaw, head over to the Heartbleed checker and type in the full domain name of the site in question. If you see anything other than the red note stating the site is vulnerable, then it's safe. Either the site has already been patched, or was never susceptible in the first place. And just for the record, WonderHowTo was not affected, so don't worry.If you do see the red vulnerable message, DO NOT VISIT THAT WEBSITE AND DO NOT TRY TO CHANGE YOUR PASSWORD YET. Doing so would only increase your chances of having your information stolen.
Step 2: Change All of Your PasswordsThis is not a drill. Once you've verified that a site is not vulnerable using the link above, visit it and change all of your passwords. This is especially important for Yahoo users as knowledge of their vulnerability became widespread on Monday and Tuesday. Here are a few tips to use when creating your new passwords:Use passwords that consist of eight characters or more that contain special characters, like any of the ones that live on the number row of your keyboard. Do NOT to use the same username/email and password combination for multiple sites. If someone hacks into one of your accounts, they'll be able to hack into ALL OF YOUR ACCOUNTS. Which brings us to our most important step...

Step 3: Use a Password ManagerFace it. You can't remember all of these passwords. Nobody can. It's time to get your self set up with a secure password manager application that will lock everything down for you. The good news is there are some very trustworthy options available. We like LastPass and Dashlane the best. Both consist of web browser plugins that replace your browser's very insecure password manager, encrypting them with a master password that is never stored anywhere.That's right... Your master password never leaves your computer. It's used to generate a strong private key that encrypts and decrypts all your data locally, before ever sending anything online. Even if someone were to hack your computer—and the LastPass or Dashlane servers—they still wouldn't be able to get your passwords without your master password (which is never sent over the internet).We found Dashlane to be the easiest to set up and use as it grabs all your currently saved passwords automatically, but its pro version (which securely syncs encrypted versions of your passwords across Macs, PCs, Androids, iPhones, and iPads) is a little more expensive than LastPass.LastPass is powerful, but does occasionally get confused about what your current password is when you go to change your passwords. Again, they offer a free version, but you have to pay for the pro version to sync with your mobile phone. Still, at $12/year, there's really no excuse. Frankly, I'd be far less inclined to trust them if they didn't charge for the service.
How to Use DashlaneThe good news is, it's so easy, you won't need a tutorial. Just head over to their website and install the software. It'll walk you through everything, automatically pulling in and encrypting any saved passwords from all your web browsers.The biggest reason why I prefer Dashlane is if you forget your master password—tough luck. That is the only key to your data. There is no way to override it.That said, the premium version that syncs across your various computers, tablets, and phones is a little more expensive at $30/year, so LastPass's free version is going to be your best bet if you're allergic to spending money.

How to Use LastPassDownloading LastPass on your Windows or Mac is pretty easy. Just head over to the LastPass website and download the version specific to your PC.Once it's downloaded, you'll be asked to create an account for LastPass. All you need is an email and a good password. Once that's done, make sure to have all of your web browsers closed because installing LastPass will automatically close & re-open them. Install and proceed when ready. There will be slightly different ways of setting up the program depending on the browser you use. Below, you can see LastPass being installed on Chrome as an extension, which is simple enough to do. The Chrome extension will then create a LastPass icon at the far right of the address bar. Tap on it and log in with the credentials you entered earlier in the installation stage. Now feel free to log in to any one of your banking, email, or social media accounts. In the login boxes, you'll see two small asterisks indicating that LastPass is at work, ready to securely encrypt your passwords using your master password. Your web browser will ask if you want LastPass to remember this password and username combination for the future. If you select yes, it will redirect you to the LastPass settings. All of the information will be filled out automatically, so just click "Save" at the bottom when you're ready. You can also change the password for this specific account here. If you tap on the LastPass icon in the address bar, you can check out the following:LastPass vault Sites that you've secured through LastPass Forms (info, credit cards) that you've filled out and saved Generate a random password Encrypted notes It took me about five minutes to set everything up, and I suggest you do the same.
What if You Lose Your Master Password?If you forgot your master password for your LastPass account, not to worry. You can simply get an email sent with a temporary password to log in, where you can then enter a new one. This peace of mind may be helpful to some, but the fact that this data is recoverable without a master password leaves me a little uneasy.
Step 4: Clear Your Browser's Stored PasswordsOnce you've safely locked down all your passwords in your new password manager, it's very important that you don't forget to clear the passwords your browser has saved. Many people don't realize this, but today's modern web browsers (with the surprising exception of Internet Explorer on Windows 8) still save unencrypted copies of all your "remembered" passwords in plain text. Here's how to clear them (and see them).
In FirefoxClick the "Firefox Menu" Click "Options" or "Preferences" Click the "Security" tab Click "Saved Passwords..." Click "Remove All"
In ChromeClick the "Chrome Menu Button" in the upper-right Click "Settings" Click "Show advanced settings..." at the bottom Click "Manage saved passwords" under "Passwords and forms" Highlight all of the websites in the list Press "Delete" on your keyboard.
In Internet ExplorerIf you're on Windows 8 or newer, your Internet Explorer passwords are stored securely, so no need to clear them.Open "Tools" (or the "Gear Menu") and click "Internet Options" Click the "Content" tab Click "Settings" under "AutoComplete" Click "Manage Passwords" Remove each one
In SafariClick on the "Safari" menu Click on "Preferences" Go to the "Passwords" tab Highlight all of the websites in the list Hit the "Remove" button
Step 5: Change Chrome's Default SettingsBy default, Chrome doesn't check for revoked SSL certificates. If that makes no sense to you, don't worry. Just know that checking a box will keep you more secure. Here's our guide on how to fix it.
Stay Safe, Stay SecureThat's it! Going forward, if (or rather when) the next security breach happens, you'll have the peace of mind of knowing that just one password was compromised, and resetting it is as easy as visiting to that one site and having your password manager generate a new secure password for you so that you won't have to worry about remembering.You also won't have to worry about which other sites you've been using the same password on.
Original bleeding heart and passwords code images via Shutterstock



Sony has just made the Xperia XZ2 Premium official. The device is built around a 5.8-inch 4K HDR display, which is 11% larger and 30% brighter than the 4K HDR display on the XZ Premium. The front and back of the device are protected by a Corning Gorilla Glass 5 and it has IP65/68 ratings for dust and water resistance.
Sony unveils the Xperia XZ2 Premium new screen 4K HDR camera


Report Ad
More craft with smarter tools. Video production powered by Adobe. Free Trial!


When clearing any form of data from your browser, it's best to close and re-open the browser after the clearing is complete in order to finalize the process. Deleting your browser's cache is not the same thing as deleting cookies.
How to Clear Internet Cache in Every Major Browser


Report Ad
Wireless, Comfortable Headband. Buy Now From The Sharper Image!


If you want to successfully learn how to hack someones facebook, you should definitely consider using MxSpy for that. With this tool you will get the shortest way towards how to hack facebook and how to hack facebook messenger. MxSpy is an application that is very easy to use, it can be easily installed and it comes with many great features.
Facebook Hack: How to hack Facebook Accounts & Messages
thetruthspy.com/facebook-hack/
All about Facebook hacking tool. In order to hack Facebook, the Facebook hacking tool is most suitable. It is also known as spyware. Hundreds of spyware you can find in your app store or the internet world but the truth spy is best one.


Android 5.0 Lollipop comes with a cadre of features that let you take better control of the notifications you see on your phone—and set times for when you don't want to be inundated with
How to Manage, Customize, and Block Notifications in Android


How to Text from Gmail. This wikiHow teaches you how to send an email as a text message from Gmail. In order to do this, you'll need to know the phone number and carrier email code for your recipient.
Send SMS Text Messages from your GMail Account


How To: Play 'Final Fantasy Awakening' on Your iPhone Before Its Official Release How To: Play 'WWE Tap Mania' on Your iPhone or Android Before It's Officially Released How To: Play Tencent's 'Strike of Kings' on Your iPhone Now Before It Makes Its Way Stateside
FINAL FANTASY AWAKENING: Now Available in the US


How to remove a widget from your iPhone, iPad's Lock or Home screen To remove a certain widget from your iPhone or iPad's Lock or Home screen you will follow the same process as you did to add
Use widgets on your iPhone, iPad, and iPod touch - Apple Support


If Apple determines that an iPhone is not repairable, for example, if it has failed due to liquid damage or catastrophic damage where the iPhone has been disassembled into multiple pieces then Out-of-Warranty Service is not available and the iPhone will be returned." Total cost to replace iPhone will be full retail value of actual iPhone cost.
iPhone Water Damage: Ultimate Guide On How To Fix Liquid Damage


Burst Mode made it possible to shoot the whole event and then save out the one shot that captured the tree at its most vivid during its brief illumination. Here's how to view your burst photos
Take and edit photos with your iPhone, iPad, and iPod touch




How To: Build a perfect replica of a lightsaber for cheap or expensive How To: Lose weight fast using Jedi mind tricks (and without lifting a finger) News: Best Halloween Costume Ever How To: Hack together a Star Wars light saber
How to Make a Homemade Lightsaber from Junk! - WonderHowTo

0 comments:

Post a Comment