According to Gary Davis, vice president of global marketing for McAfee Consumer division, it is important to understand that Heartbleed is not a virus, but an error programmed into the OpenSSL encryption code - a security standard that encrypts communications between you and the servers supplied by most online services.
Although the bug has been announced just recently, he has been present in OpenSSL versions released since March 14, 2012, giving several opportunities for attackers to steal certificates or other confidential information.
The problem is serious
The OpenSSL cryptographic library protects usernames, passwords, credit card, debit card and other confidential user information. A failure in the SSL code could allow an attacker to gain access to the system memory, which can potentially contain confidential information or communications.
SSL / TLS is widely used to secure communication through websites, email, instant messaging, etc.. It can be recognized by the prefix " https " or a lock in the address bar of a browser.
Therefore, the flaw allows attackers to extract information from large databases which contain usernames, passwords and other confidential information.
According to security company Vasco, and allow a hacker to get some memory of an impacted, under certain circumstances, the bug server also allows to obtain sensitive data that has been exchanged in the past through an SSL / TLS server vulnerable. Using the private key SSL / TLS implementation in a compromised Internet, the criminal can also give life to fake servers presenting graphically as the original.
As the threat takes advantage of servers, not consumer devices, online services companies need to upgrade to the latest version of OpenSSL to 1.0.1g in order to mitigate and fix this security hole.
Trustwave, meanwhile, warns that web servers are not the only possible targets for an attack; any program using a compromised version of OpenSSL and is exposed to the internet is vulnerable. This includes SSL virtual private network of a company that allows employees to connect to the corporate network security, SSL and many other tools that are used daily by businesses.
Also according to Trustwave, the OpenSLL is also considered one of the pillars of modernization of e- commerce, which allowed for the safe transmission of information, such as a credit card and personal identity. It is estimated that OpenSSL is used in 60% of web sites with SSL -enabled services. Although not all of these services are vulnerable, the effects of this failure are widespread.
Mobile apps have also been affected
Cell Phones and smartphones are just as vulnerable to the bug as Heartbleed sites. This is because applications connect to servers and Web services to complete various tasks, such as apps to banks and online stores that allow you to make payments via mobile phone.
Trend Micro surveyed some popular web services used in popular mobile devices and the results show that the vulnerability still exists. 390 thousand applications from Google Play, and about 1,300 applications connected to vulnerable servers found were scanned. Among them are 15 applications related to banks, 39 to 10 online payments and online purchases. Problems in everyday apps such as instant messaging and health were also identified.
What the surfer can do?
The severity of this threat is unimaginable. Large companies regularly employ OpenSSL, which is traditionally known as one of the safest means of transmitting data. Security firms reiterate that the best way to protect yourself is to determine the sites you use that were affected ( through the tools listed above) and change the passwords for these accounts.
That is, users should check with the sites shelter their sensitive information _ such as the email address of your bank, or your ISP e- mail, etc. _ if they were affected and, if so, ask how will be corrected this vulnerability.
If the provider confirms that the service was standard, users should also change their passwords. Companies that host their own SSL affected services should strongly consider revoking their current licenses, as if it is compromised can lead to abuse by users and damage to its reputation. Owners of SSL certificate that will work with Authorized Certificates ( CA ) to reissue their certifications.
This week, McAfee released a free tool to help consumers easily evaluate their susceptibility to the effects of Heartbleed. When you enter domain names of websites on testing tool McAfee, consumers can immediately determine if the sites they frequent are affected by this menace verifying that the sites have been updated to the version of OpenSSL that is not susceptible to the vulnerability.
It is also advisable to monitor the occurrence of unusual or suspicious activities in their email accounts, social networking, internet banking and other services on the network. If you notice something out of the ordinary, contact your respective service, requesting information on how to proceed.
Moreover, as Heartbleed failure is not a virus or a malicious program that can be " corrected " instantly only by the user, on your own computer, the National Secretary of the Ministry of Consumer Justiaça ( Senacon / MJ ) warning Internet users to stay tuned to misleading offers services that address the issue.
And service providers?
The Senacon / MJ recommends that providers of Internet service applications inform customers and consumers, or if the service was not affected by the security flaw Heartbleed. If so, also inform the security measures that must be taken by their consumers.
What financial institutions should do?
According to Vasco, they must meet three steps to ensure that their web applications are not vulnerable to the bug and that their consumers are protected.
Firstly, should check their e-banking applications employ a version of OpenSSL fails. The Open SSL 1.0.1 to 1.0.1f versions are affected. In this case, they should immediately update their servers with the latest version.
Secondly, they should assume their private key SSL / TLS can be compromised if used affected the Open SSL versions. Because of the nature of the bug, it is very difficult to determine when the keys are compromised. In addition, financial institutions should be cautious and replace your existing keys and their certificates with new ones.
Finally, to verify whether sensitive data like passwords, exchanged with users of e-banking have been compromised. If so, the renewal of that information when possible should be promoted.
The users of e-banking should do?
Also according to Vasco, they may have been affected by the bug Heartbleed making sensitive data exchanged with their banks via the Internet may have been compromised.
Users accessing via password must exchange them, since they may have been compromised. However, this should only be done after the bank upgraded your OpenSSL software and issued new certificates and new private keys, because otherwise the new passwords can also be accessed improperly in the future.
On the other hand, users who access their passwords for single use ( one-time passwords - OTP ) need not worry about compromising your information. The ephemeral nature of this system ensures that the password can be used only for a short period of time. Thus, no single use passwords can not be leveraged as a result of this bug.
" We also recommend that everyone monitor their bank online and take care of the security of their information," said Claudio Conceição, consultant Finance and credit expert at Riddle TransUnion, company responsible for developing software and solutions for the automation of credit analysis, risk and fraud.
Beware of phishing
Many online services are sending e- mails informing you that were affected by Heartbleed and have already upgraded their servers. After receiving these emails, you must update your password. But beware: McAfee warns that this is also a great time for phishing attacks ( attacks disguised as services to steal your data and passwords ). So you need to take even more care than usual when they encounter such messages.
According to McAfee, the Internet can detect a phishing attack observing grammar errors, suspicious images that do not appear to be reputable and emails that ask you to enter your username and password now. Some services affected by Heartbleed have done logout from your account automatically. Some may have provided links to password change.
To protect yourself against phishing attacks, do not click on these links. Instead, go to the site manually, log in and then change your password.
Care to change passwords
By changing the passwords you need to take some care. Among them, according to McAfee, are:
1 - Create unique passwords for each site you use. Each password used must be at least eight characters long and contain letters, numbers and symbols. Each site must have its own unique password. Avoid using the same password on multiple sites. This is essential.
2 - Use a password manager. Increasingly, the use of password managers are no longer a matter of practicality and more a matter of safety. Remember different passwords for each site is very difficult. Password managers can do this for you. Moreover, they can protect you from malicious software that record the keys you press and consequently your password.
3 - Turn on two-factor authentication. The two-factor authentication is a security technique that requires something you know, such as your password, and something that you own, like your phone. Not all sites apply this security technique, but, when available, you should enable it. It can be an effective way to protect against hacker attacks.
