It's a pain but we are all going to have to bite the bullet and change passwords at sites that may have been affected by the Heartbleed securty exploit. Some helpful people have been compiling lists of sites where a password change is indicated. For example, a list of some major sites showing those which need a changed password is at Mashable.
Here are some big sites that were affected and need a password change: Note that these sites and others in a list at the Mashable link cited above are said to have already patched the Heartbleed bug.
- Yahoo
- Yahoo Mail
- Gmail
- GoDaddy
Here are some major sites that are said to not require a password change:
- Microsoft
- eBay
- Amazon
- Paypal
- Hotmail/Outlook
- AOL
Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.
This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to's, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.
Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.
Comments
Intended for Vic L, but any other expertise welcome. Think I had some security attack last week, or something managed to amend some settings, I logged on one day, was told that a file could not be found, and therefore not loaded. File named as zkbuygp.dat, doesn't get any mentions in a Google search, a bit odd as most system files have plenty info online. Being suspicious, I tried a scan with Anti-Malwarebytes (free version) it would NOT run due to 'blocked by group policy'; neither would M'soft Security Essential (same reason). I tried the Malwarebytes 'chameleon', also not working. I downloaded a new version of Malwarebytes, stored in a different folder, seemed to run ok, chameleon too. M'soft Sec Essentials DOES run a scan if PC in Safe mode - and when I checked it said it had blocked online threats when PC was NOT in safe mode, so seems (?) to be working behind the scenes still.
BUT today, I was on a website, a little box appeared, saying Malwarebytes had just blocked a threat, sounds good, BUT I thought that product doesn't work in real time, just does scans? (I should add that the version I've newly downloaded seems to say it's a trial, presumably a 14 day one, as opposed to the perm free one I had before). As I only recently ventured into online banking (had done things by phone for years) this is rather worrying - I haven't used any bank website since the odd event with the mystery file and the 'group policy' stuff.
The only info I can find re 'Group Policy' seems to imply that products good or bad might change registry settings, but I'm not informed or capable enough to change them back! ANY CLUES PLEASE? Thx TH (I have a desktop PC, Windows Home 7, IE9)
Although you might have done so elsewhere, it might be helpful for people new to the Heartbleed bug to understand that it affects earlier versions of OpenSSL and they need only be concerned about secure web sites (https) that use OpenSSL, IOW if a site uses some other type of encryption then it is not going to be vulnerable...at least not this time.
I agree that too much info on this subject is likely to be too technical for some, including me. That is why I only mentioned those two points, i.e., that heartbleed only affects sites that begin with https, and use OpenSSL. I have found sites not listed in Mashable or other sites working on this issue that test as possibly vulnerable, including some banking sites overseas. And since this is an issue with constant changes (at least until all OpenSSL sites are fixed), some people might want to change passwords even if the site is vulnerable and change it again when the site is fixed. If I encountered a banking site that is not fixed, I would probably either move my money to a bank whose site is fixed until it gets fixed, or I would change my password before each use until I was sure that the site is fixed, plus checking that site more frequently than other banking sites that are not vulnerable, and if money was missing I would be able to report it quickly.
Vic,
This all just got more complicated, since Akamai just announced that the patch it supplied for OpenSSL turns out not to be a complete patch, and the OpenSSL fix is only a partial fix. See the article at
http://www.cnet.com/news/akamai-heartbleed-patch-not-a-fix-after-all/?ta...
-------------------------
In other words, there is a bug in the patch for the Heartbleed bug, and there will probably be another bugfix coming, but when, we don’t know, and I have no idea how it will affect the scanning tools, like filipo.
Whether changing passwords now will help, will probably depend on the approach that is taken to exploit the bug. If the bad guys are working from a database, then maybe changing passwords now is a temporary workaround, because they will not be able to log in with the old password, But, if the bad guys are rescanning the server data each time before launching an attack, then any target would be vulnerable at any given time, I believe. I am not into cracking, so I cannot say for sure.
Thank you for letting me
Surely with the way the bug works that it actually makes sense to hold off changing until the affected sites confirm they've fixed the bug?
If you change now you run the risk of being caught out by the bug... It's a catch22 situation really.
Yes I saw that - but I think you missed my point entirely. Your article advocates updating passwords at infected sites - I'm saying that's a catch22 if they are affected by the bug because there's a chance you'd have your password stolen due to the bug. Not only would you then have to change it again when they do fix the bug you may also have lost your access.
I thought you wanted to end this thread and no doubt will delete this before it gets seen.
However - the issue was that you sidestepped what I said, then added to your original article with the comment rather than either agreeing with me or completely disagreeing (I'm a big boy, I can handle someone not agreeing).
I suspect it was a case of you rushing your answer rather than just (dis)/agreeing that this is the case and then pointing out the link, etc ...
Still - I guess this will get deleted as you have been rather heavy handed with moderation. And I thought gizmo's was all about discussion ... I'm sure Ian wouldn't have shut this conversation down....
Thank you. I'll accept your POV about the response but for my part I saw it as side-stepping or declining to answer the point asked.
As to unfair. I don't think so. I'll simply refer you to the opening sentence of your article. Let's face it, many folks simply scan articles and will rarely get past fully reading the first sentence - which is why they are always considered so important.