Corliss Group Review Heart Bleed Bug Test: Three Things One Can Do Yahoo, Facebook, Gmail, eBay, TurboTax, Twitter, Chase, Wells Fargo, Citibank Affected?

The Heartbleed security bug can be tested here and theere's a list of websites affected.(Screenshot Heartbleed.com)

 

The Heartbleed bug isn’t a “virus,” but a security error. The bug can be tested on Github and a website was set up to test out whether the bug affects a certain website, including well-known ones.

AP Update: 3 things you can do to protect from Heartbleed

The “Heartbleed” bug has caused anxiety for people and businesses. Now, it appears that the computer bug is affecting not just websites, but also networking equipment including routers, switches and firewalls.

The extent of the damage caused by the Heartbleed is unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. Although it’s conceivable that the flaw was never discovered by hackers, it’s difficult to tell.

There isn’t much that people can do to protect themselves completely until the affected websites implement a fix. And in the case of networking equipment, that could be a while.

Here are three things you can do to reduce the threat:

— Change your passwords. This isn’t a full-proof solution. It’ll only help if the website in question has put in place required security patches. You also might want to wait a week and then change them again.

— Worried about the websites you’re surfing? There’s a free add-on for the Firefox browser to check a site’s vulnerability and provide color-codes flags. Green means go and red means stop. You can download it here: https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/

— Check the website of the company that made your home router to see if it has announced any problems. Also be diligent about downloading and installing and software updates you may receive.

Earlier AP Update:

NEW YORK (AP) — It now appears that the “Heartbleed” security problem affects not just websites, but also the networking equipment that connects homes and businesses to the Internet.

A defect in the security technology used by many websites and equipment makers have put millions of passwords, credit card numbers and other personal information at risk. The extent of the damage caused by Heartbleed isn’t known. The threat went undetected for more than two years, and it’s difficult to tell if any attacks resulted from it because they don’t leave behind distinct footprints.

But now that the threat is public, there’s a good chance hackers will try to exploit it before fixes are in place, says Mike Weber, vice president of the information-technology audit and compliance firm Coalfire.

Two of the biggest makers of networking equipment, Cisco and Juniper, have acknowledged that some of their products contain the bug, but experts warn that the problem may extend to other companies as well as a range of Internet-connected devices such as Blu-ray players.

“I think this is very concerning for many people,” says Darren Hayes, professor of security and computer forensics at Pace University. “It’s going to keep security professionals very busy over the coming weeks and months. Customers need to make sure they’re getting the answers they need.”

Here’s a look at what consumers and businesses should know about Heartbleed and its effects on networking devices.

— How is networking equipment affected?

Just like websites, the software used to run some networking equipment — such as routers, switches and firewalls — also uses the variant of SSL/TLS known as OpenSSL. OpenSSL is the set of tools that has the Heartbleed vulnerability.

As with a website, hackers could potentially use the bug as a way to breach a system and gather and steal passwords and other sensitive information.

— What can you do?

Security experts continue to advise people and businesses to change their passwords, but that won’t be enough unless the company that created the software in question has put the needed fixes in place.

When it comes to devices, this could take a while. Although websites can be fixed relatively quickly by installing a software update, device makers will have to check each product to see if it needs to be fixed.

Both Cisco Systems Inc. and Juniper Networks Inc. continue to advise customers through their websites on which product is still vulnerable, fixed and unaffected. Owners may need to install software updates for products that are “fixed.”

Hayes praises Cisco and Juniper for being upfront with customers. He cautions, though, that many other companies make similar products that likely have the bug, too, but haven’t come forward to say so.

As a result, businesses and consumers need to check the websites for devices that they think could have problems. They must be diligent about installing any software updates they receive.

Weber says that while there are some checks companies can do to see if their networking equipment is safe, they’re largely beholden to the device makers to let them know what’s going on.

Companies also need to make sure that business partners with access to their systems aren’t compromised as well.

— Are other devices at risk?

Hayes says the bug could potentially affect any home device that’s connected to the Internet, including something as simple as a Wi-Fi-enabled Blu-ray player.

He also points to recent advances in home automation, such as smart thermostats, security and lighting systems.

“We simply don’t know the extent of this and it could affect those kinds of devices in the home,” he says.

Corliss Group Review Android devices await Heartbleed fix

Version 4.1.1 of Android Jelly Bean was released in 2012

Millions of Android devices remain vulnerable to the Heartbleed bug a week after the flaw was made public.

Google announced last week that handsets and tablets running version 4.1.1 of its mobile operating system were at risk.

The search giant has since created a fix, but it has yet to be pushed out to many of the devices that cannot run higher versions of the OS.

It potentially places owners at risk of having sensitive data stolen.

In addition security firms warn that hundreds of apps available across multiple platforms still need to be fixed.

These include Blackberry's popular BBM instant messaging software for iOS and Android.

The Canadian firm has said that it will not issue a fix until Friday, but said there was only an "extremely small" risk of hackers exploiting the bug to steal its customers' data.

In the meantime the program remains available for download from Apple's App Store and Google Play.

Data theft 

News of the vulnerability with recent versions of the OpenSSL cryptographic software library was made public last Monday after researchers from Google and Codenomicon, a Finnish security firm, independently discovered the problem.

OpenSSL is used to digitally scramble data as it passes between a user's device and an online service in order to prevent others eavesdropping on the information.

It is used by many, but not all, sites that show a little padlock and use a web address beginning "https".

The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.

Although that is a relatively small amount, the attackers can repeat the process to increase their haul.

Furthermore, 64K is enough to steal passwords and server certificate private keys - information that can be used to let malicious services masquerade as genuine ones.

Press reports initially focused on the risk of users visiting vulnerable websites, but attention is now switching to mobile.

At-risk handsets

UK versions of the HTC One S handset cannot currently be upgraded beyond Android 4.1.1

Google's own statistics suggest that fewer than 10% of Android devices currently run version 4.1.1.

However, since close to one billion people currently use the OS that is still a significant number.

Some of those device owners can protect themselves by upgrading Android to a more recent version.

But several machines are unable to be upgraded higher than 4.1.1.

Customer websites indicate these include Sony's Xperia E handsets, HTC's One S, Huawei's Ascend Y300 and Asus's PadFone 2.

"Privacy and security are important to HTC and we are committed to helping safeguard our customers' devices and data," said the Taiwanese firm.

"We're currently working to implement the security patch issued by Google this week to the small number of older devices that are on Android 4.1.1."

Asus said its device was "expecting an update imminently". Sony and Huawei were unable to comment.

Tab grab

Sony and Huawei were not able to say when they planned to patch vulnerable devices

Google has now created a fix to address the problem. However, manufacturers still need to adapt it for their devices and this software will need to be tested by the various operators before they release it.

Users can check which edition of Android they are running by going to the "about phone" or "about tablet" option in their Settings app.

Alternatively several free apps have been released that can scan phones and tablets to say if they are vulnerable.

Lookout - a security firm behind one of the products - explained how hackers might take advantage of a vulnerable handset.

"Someone could build a malicious website or advert designed to steal data from your memory," Thomas Labarthe, the firm's European managing director, told the BBC.

"If you happen to be browsing it and have other tabs opened in your browser, it could take data from a banking site - for example.

"No-one could steal a whole document - they can only take 64K of data - but that's still enough to steal your credentials."

'Forgotten about'

Blackberry aims to offer safe versions of its BBM app on Friday

Another security firm, Trend Micro, has focused on the issue of vulnerable apps.

These can affect any mobile operating system because the problem is caused by the servers that send data to the apps not having been updated to the latest version of OpenSSL.

Trend Micro said it was currently aware of 6,000 such risky apps, including shopping and bank-related services. That is 1,000 fewer than its figure for Friday - suggesting some server operators are addressing the problem.

But it acknowledged that it was hard for members of the public to know which of the hundreds of thousands on offer were safe to use.

"Some of these are services that were set up and then forgotten about," said senior malware researcher David Sancho.

"There's no way from using an app you can know if it's good or bad.

"So, for the moment, the best thing to do is use the ones from the major vendors that we know have been patched... but for the minor ones that have said nothing, be wary."

Corliss Group Review Millions of Android Phones Could Be Affected by the Heartbleed Bug

Check to See if Yours Is One of Them

Disturbing news: The now-infamous Heartbleed security flaw might reach further than your favorite websites. It could affect your mobile device, too.

According to an announcement by Google, smartphones and tablets running a specific version of Android were affected by the widespread web security bug, which could potentially spill your sensitive login information (like passwords).

The company assured Android owners in a blog post April 9 that most versions are not affected by the flaw. However, as Bloomberg notes, Google added that a version called 4.1.1 Jelly Bean is a “limited exception.”

That version of Android was released in 2012 and is likely to be running on older Android smartphones. According to the most recent statistics released by Google, about 34 percent of Android devices use a version of the 4.1 Jelly Bean software. Though the company said that fewer than 10 percent of devices in use are vulnerable, a Google spokesperson confirmed to Bloomberg that millions of devices still run 4.1.1 Jelly Bean.

So how can you check to see if your device is affected? You’ll need to go to the Settings menu of your phone and find your way to the About Phone section. There you’ll be able to learn what version of Android you’re running and see if any updates are available.

There’s also a free Android app available that will tell you if your device is vulnerable to the bug.

Whether there is an immediate update to patch this bug is still unclear. Google’s blog post says that “patching information for Android 4.1.1 is being distributed to Android partners.” A Verizon spokesperson told Bloomberg that the company was aware of the “security vulnerability referred to as ‘Heartbleed,’ ” and that the company was “working with our device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1.”

We’ve reached out to Google for comment. In the meantime, fingers crossed that you’re not affected.