Security vendors, eScan and McAfee, have created free tools that help consumers easily gauge their susceptibility to the potentially dangerous effects of the Heartbleed Bug, a vulnerability in OpenSSL that has placed millions of Internet users’ personal information at risk.
By entering website domain names into McAfee’s Heartbleed Checker tool, consumers can immediately determine if the websites they frequent have been affected by Heartbleed by checking whether or not the sites have been upgraded to the version of OpenSSL that is unsusceptible to the bug.
eScan’s tool can also be used by IT users to check whether the website they are browsing is affected with the Heartbleed bug or not and can be accessed at www.escanav.com.
“It’s important that users first check to make sure the websites they frequent are updated before changing their passwords,” said Gary Davis, vice president of consumer marketing at McAfee, part of Intel Security. “In the wake of confusing information floating around, our tool makes it easy for consumers to quickly access the information they need. Armed with this information, consumers can decide when it is time to change their passwords and regain confidence in a safe web surfing experience.”
Estimated to affect up to two-thirds of all websites, the Heartbleed Bug is a vulnerability in the OpenSSL encryption software that protects usernames, passwords, credit and debit card numbers, and other sensitive user information. A flaw in the SSL code could allow an attacker to gain access to system memory, which potentially could contain sensitive information or communications. To protect themselves, consumers should determine which sites that they use are affected and then change those account passwords when the affected sites are patched.
Since a majority of websites are vulnerable to the Heartbleed bug, changing a password will not help much; as the website would have to update their OpenSSL software first in order to mitigate the threat. Simply type the website address that you wish to browse into the box displayed in the tool, and it will let you know whether it is safe. Although, websites such as Facebook, Gmail, Amazon, Yahoo!, Twitter and others are not vulnerable, however numerous other websites/servers are still vulnerable to this.
The Heartbleed bug, basically takes advantage of OpenSSL encryption software, which is in standard use by many websites and while browsing an SSL site, the secured site is designated by the small padlock symbol, however not all webservers have deployed OpenSSL. A new protocol was introduced to the TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation. When messaging back and forth on a secure connection, sometimes computer wants to check the other computer’s availability. This cross checking is done by sending a small packet of data, called ‘heartbeat’. The Heartbleed bug flaw allows hackers to use a fake packet of data, which tricks the computer into responding with arbitrary data stored in the memory by OpenSSL. The attacks using this flaw are undetectable by current standards and the bug existed under the radar for about two years.
“Users are likely to be affected either directly or indirectly,” said Govind Rammurthy, MD and CEO, eScan. “OpenSSL is the most popular open source cryptographic library and TLS (Transport Layer Security) implementation used to encrypt traffic on the Internet. Hackers are using smart social engineering tricks more and more often on popular social sites, company’s site and commercial sites. Hence, our newly launched online tool makes it easy for IT users to enjoy safe internet browsing and have a secured computing experience.”