security alert--password change needed for 60% of the web.

[greybeard]

If you make purchases on line, do online banking or do anything else that might have included your personal information, read and heed. It's been around a while, so your info may already have been exposed. Most websites have already patched their securit protocols, but because it's been around so long without detection, the exploit is still dangerous.
The problem is in the encryption process/protocol itself--that little lock you see near the address bar on your browser when doing on-line transactions doesn't necessarily mean it is/was a secure transaction.

http://www.thewire.com/technology/2014/ ... et/360366/

http://venturebeat.com/2014/04/08/what- ... -at-least/

There's a security flaw in one of the basic encryption tools used by a huge number of websites, and it probably affects you.

Just to be safe, you should probably change your passwords. All of them.

The flaw goes by the appropriately scary name "Heartbleed," and it affects OpenSSL, a data encryption library used by — potentially — more than two-thirds of the Internet's websites.


In short, the bug means that attackers can "listen in" on communications between those websites and the browsers visiting them.

That "lock" icon that appears in your browser to indicate that you're communicating with a secure website is an indication that your browser is using SSL. If it's doing so with a website that's using a relatively recent version of OpenSSL, your data could be compromised.

The flaw exists in versions of OpenSSL that have been in use for about two years, and no one knew about it — no one legitimate, anyway — until a few days ago. Since then, the security researchers who discovered the bug have notified some of the major affected websites as well as the organization responsible for OpenSSL, which has already issued a fix. They have also published an informational web site, at Heartbleed.com. That means major web sites should be fixed soon, if they aren't already — but given how widespread the bug is, it may be weeks, months, or even years before the affected version is completely out of distribution.

"Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously," the researchers wrote on Heartbleed.com.

If any malicious people knew about the bug before it was first widely publicized yesterday, they could have been using it to snoop on supposedly secure browser-server communications for as long as two years — since the first vulnerable version of OpenSSL appeared in December 2011. That means the bad guys may already have your passwords.

 

[txffamom]

Thanks for sharing greybeard. After it was apparently reported on the news this morning, everyone began questioning and this is an email we received from our IT guys at work.



Subject: Internet Security
 
There is no problem in using the internet for normal searches and activity.
 
There is an issue right now with general security on the internet as a whole.  An exploit named "Heartbleed" means that the bad guys could, in theory, decode your online banking password if the bank has not updated their security software.  Most of the banks and major websites have already done so and are secure.
 
If you do need to log in to a site securely and want to verify that it is safe from the exploit, you can check the site domain name here:
http://filippo.io/Heartbleed/