Gizmos Needs You

Gizmo's Freeware is Recruiting

 We are looking for people with skills or interest in the following areas:
 -  Mobile Platform App Reviews for Android and iOS
 -  Windows, Mac and Linux software reviews       Interested? Click here

                  

 

Heartbleed Effect: Passwords You Need to Change Now

It's a pain but we are all going to have to bite the bullet and change passwords at sites that may have been affected by the Heartbleed securty exploit. Some helpful people have been compiling lists of sites where a password change is indicated. For example, a list of some major sites showing those which need a changed password is at Mashable.

Here are some big sites that were affected and need a password change: Note that these sites and others in a list at the Mashable link cited above are said to have already patched the Heartbleed bug. 

  • Yahoo
  • Yahoo Mail
  • Facebook
  • Google
  • Gmail
  • Instagram
  • GoDaddy
  • Pinterest

Here are some major sites that are said to not require a password change:

  • Microsoft
  • eBay
  • Amazon
  • Paypal
  • Hotmail/Outlook
  • AOL

Get your own favorite tip published! Know a neat tech tip or trick? Then why not have it published here and receive full credit? Click here to tell us your tip.


This tips section is maintained by Vic Laurie. Vic runs several websites with Windows how-to's, guides, and tutorials, including a site for learning about Windows and the Internet and another with Windows 7 tips.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

Share this
4.285715
Average: 4.3 (28 votes)
Your rating: None

Comments

by MidnightCowboy on 15. April 2014 - 5:12  (115705)

First news of successful exploits now surfacing together with details about how the exploit itself is being exploited by phishing scams.

http://www.bbc.com/news/technology-27028101

Remains to be seen but IMO although the bug has existed for a long time, I think the majority of those exploiting it only began their operations after the announcement. MC - Site Manager.

by TonyH on 14. April 2014 - 12:36  (115684)

Intended for Vic L, but any other expertise welcome. Think I had some security attack last week, or something managed to amend some settings, I logged on one day, was told that a file could not be found, and therefore not loaded. File named as zkbuygp.dat, doesn't get any mentions in a Google search, a bit odd as most system files have plenty info online. Being suspicious, I tried a scan with Anti-Malwarebytes (free version) it would NOT run due to 'blocked by group policy'; neither would M'soft Security Essential (same reason). I tried the Malwarebytes 'chameleon', also not working. I downloaded a new version of Malwarebytes, stored in a different folder, seemed to run ok, chameleon too. M'soft Sec Essentials DOES run a scan if PC in Safe mode - and when I checked it said it had blocked online threats when PC was NOT in safe mode, so seems (?) to be working behind the scenes still.

BUT today, I was on a website, a little box appeared, saying Malwarebytes had just blocked a threat, sounds good, BUT I thought that product doesn't work in real time, just does scans? (I should add that the version I've newly downloaded seems to say it's a trial, presumably a 14 day one, as opposed to the perm free one I had before). As I only recently ventured into online banking (had done things by phone for years) this is rather worrying - I haven't used any bank website since the odd event with the mystery file and the 'group policy' stuff.

The only info I can find re 'Group Policy' seems to imply that products good or bad might change registry settings, but I'm not informed or capable enough to change them back! ANY CLUES PLEASE? Thx TH (I have a desktop PC, Windows Home 7, IE9)

by v.laurie on 14. April 2014 - 13:02  (115686)

Tony, there are people here who will be glad to help you. We have a forum for just that purpose. Go to http://www.techsupportalert.com/freeware-forum/general-computer-support/, log in and describe your problem there. Also, check your bank account right away by phone to make sure nothing is going on there. These articles can help you: http://www.techsupportalert.com/content/how-know-if-your-computer-infect... and http://www.techsupportalert.com/content/how-clean-infected-computer.htm
Don't use your computer for banking or other sensitive business until you have made sure it is secure. You are right to be concerned about getting messages about the Group Policy Editor.

by howiem on 13. April 2014 - 20:47  (115667)

Although you might have done so elsewhere, it might be helpful for people new to the Heartbleed bug to understand that it affects earlier versions of OpenSSL and they need only be concerned about secure web sites (https) that use OpenSSL, IOW if a site uses some other type of encryption then it is not going to be vulnerable...at least not this time.

by v.laurie on 13. April 2014 - 22:48  (115672)

Yes, it would be good if everybody had some idea what OpenSSL was and what the bug entails but I wonder if it might not be rather too technical for many people. In any event, I hoped that the FAQ http://heartbleed.com/ given in the previous tip http://www.techsupportalert.com/content/how-check-if-website-has-been-af... might be helpful to those wishing to know more about the problem.

If you would like to write an article about what you think people should know, we always welcome new material.

by howiem on 14. April 2014 - 4:22  (115676)

I agree that too much info on this subject is likely to be too technical for some, including me. That is why I only mentioned those two points, i.e., that heartbleed only affects sites that begin with https, and use OpenSSL. I have found sites not listed in Mashable or other sites working on this issue that test as possibly vulnerable, including some banking sites overseas. And since this is an issue with constant changes (at least until all OpenSSL sites are fixed), some people might want to change passwords even if the site is vulnerable and change it again when the site is fixed. If I encountered a banking site that is not fixed, I would probably either move my money to a bank whose site is fixed until it gets fixed, or I would change my password before each use until I was sure that the site is fixed, plus checking that site more frequently than other banking sites that are not vulnerable, and if money was missing I would be able to report it quickly.

by v.laurie on 14. April 2014 - 13:16  (115687)

What to do about sites that have not yet been patched is a dilemma. I do not personally see a clear-cut solution or easy answers. I think your suggestions are as good as any but it's a personal choice.

by howiem on 16. April 2014 - 0:36  (115708)

Vic,
This all just got more complicated, since Akamai just announced that the patch it supplied for OpenSSL turns out not to be a complete patch, and the OpenSSL fix is only a partial fix. See the article at
http://www.cnet.com/news/akamai-heartbleed-patch-not-a-fix-after-all/?ta...

-------------------------
In other words, there is a bug in the patch for the Heartbleed bug, and there will probably be another bugfix coming, but when, we don’t know, and I have no idea how it will affect the scanning tools, like filipo.
Whether changing passwords now will help, will probably depend on the approach that is taken to exploit the bug. If the bad guys are working from a database, then maybe changing passwords now is a temporary workaround, because they will not be able to log in with the old password, But, if the bad guys are rescanning the server data each time before launching an attack, then any target would be vulnerable at any given time, I believe. I am not into cracking, so I cannot say for sure.

by Spitfire on 12. April 2014 - 0:21  (115638)

Thank you for letting me

by bernardz on 11. April 2014 - 12:26  (115615)

From bitter experience and actual financial loss, at the first sign of trouble change the password.

by stubbyd on 11. April 2014 - 1:00  (115599)

Surely with the way the bug works that it actually makes sense to hold off changing until the affected sites confirm they've fixed the bug?

If you change now you run the risk of being caught out by the bug... It's a catch22 situation really.

by v.laurie on 11. April 2014 - 2:03  (115601)

You can check if sites are updated as described in links given in the preceding tip -http://www.techsupportalert.com/content/how-check-if-website-has-been-affected-heartbleed.htm.

by stubbyd on 11. April 2014 - 2:11  (115602)

Yes I saw that - but I think you missed my point entirely. Your article advocates updating passwords at infected sites - I'm saying that's a catch22 if they are affected by the bug because there's a chance you'd have your password stolen due to the bug. Not only would you then have to change it again when they do fix the bug you may also have lost your access.

by v.laurie on 11. April 2014 - 11:35  (115614)

I did not miss your point. The problem with unpatched sites is discussed in references given in my first reply above. Also, if you read the referenced Mashable article that is the basis for the present article, you would see that the sites that are listed as needing a password change are sites that have patches for the bug already in place.

by stubbyd on 11. April 2014 - 15:19  (115617)

I thought you wanted to end this thread and no doubt will delete this before it gets seen.

However - the issue was that you sidestepped what I said, then added to your original article with the comment rather than either agreeing with me or completely disagreeing (I'm a big boy, I can handle someone not agreeing).

I suspect it was a case of you rushing your answer rather than just (dis)/agreeing that this is the case and then pointing out the link, etc ...

Still - I guess this will get deleted as you have been rather heavy handed with moderation. And I thought gizmo's was all about discussion ... I'm sure Ian wouldn't have shut this conversation down....

by v.laurie on 11. April 2014 - 17:38  (115623)

True discussion is always welcome. Incorrect statements, however, are a different issue. My way of responding to your original point about unpatched sites was to provide information by means of some references. To my way of thinking, that answered your comment. However, if you feel an explicit acknowledgement of your point is necessary, I am happy to say that you had a valid point about those sites that are still unfixed. However, the article's focus was specifically about changing passwords for sites that had patched the problem, as a reading of the Mashable article that was cited would have made clear. You responded with the unfair statement, "Your article advocates updating passwords at infected sites". This is simply not true.

by stubbyd on 11. April 2014 - 22:58  (115637)

Thank you. I'll accept your POV about the response but for my part I saw it as side-stepping or declining to answer the point asked.

As to unfair. I don't think so. I'll simply refer you to the opening sentence of your article. Let's face it, many folks simply scan articles and will rarely get past fully reading the first sentence - which is why they are always considered so important.

by v.laurie on 11. April 2014 - 2:59  (115605)

I am sorry but there has been a misunderstanding. I have not "advocated" changing passwords at infected sites. Let that be plain. With that made clear, let us call an end to this thread.