Heartbleed bug an internet 'catastrophe'

Security flaw puts the sensitive information of millions of users at risk and forces system changes on major global websites.
Learn more

01.Your antivirus software can't fix it


If you use the internet (and we ALL do) you will need to change most if not all your passwords and restrict your internet usage for at least several days.

That's the message from security experts following the discovery of a massive internet security flaw codenamed Heartbleed that could affect up to two-thirds of the world's websites.

The bug is contained in OpenSSL, a technology commonly used to protect usernames, passwords, and sensitive information on secure websites. It potentially poses several threats that put private information at risk. The bug isn’t a problem with PCs or software, but with the internet itself, so antivirus software on your PC won’t fix it.

The companies behind major websites, software and mobile apps are scrambling to fix the flaw, then resetting the passwords for everybody, forcing users to change them before being able to log on or use the software.

GE Money products affected

GE Money has recommended their customers change their passwords, revealing that those using the 28degrees MastercardColes Mastercard and Myer Visa Card, among other GE Money products, are vulnerable to Heartbleed. The sites are either already patched or are in the process of being patched, but the damage may already have been done.

Extent of the problem

Not all websites are affected by the bug, however. Sites using some older versions of OpenSSL and those using the latest version of OpenSSL, called Fixed OpenSSL, are not vulnerable. However, many if not most are thought to be using an older version that contains the vulnerability. While the bug has only just been discovered, it has been a potential risk for more than two years.

Heartbleed is causing headaches for system administrators everywhere as they scramble to patch the fault and issue advice to user when it is safe to change their passwords.

The bug is potentially the most widespread vulnerabilities in the history of the internet because it affects the security technology that runs most of the web services worldwide, OpenSSL. The very fact that OpenSSL is an open-source software tool and therefore free to implement, is largely responsible for its web-wide popularity.

Security expert Bruce Schneier  has described Heartbleed bug as “catastrophic”, saying that "On a scale of one to 10, it is an 11.”

Gmail, Yahoo, and Facebook were among major websites affected by the Heartbleed bug before they issued a fix. It is believed that most major sites have now patched the bug, but users will still need to change their password once the patch is in place.

While first thought to be just a software problem affecting certain web servers, it has since been revealed that the problem could exist in network hardware such as firewalls, switches, routers and modems.

Networking vendors Cisco, Juniper Networks, Fortiguard and F5 Networks have reportedly revealed that some of their products are affected by the bug and have issued security alerts, as has network storage maker Synology.

The full ramifications of the Heartbleed bug are not yet known, nor is there a clear date by which the problem will be completely eradicated.

The IT Manager at CHOICE, Stephen Macdonald, said CHOICE’s servers are not exposed to this vulnerability.

What you can do

Importantly, users need to ensure that any site which requires a password addresses the problem before using it. Don’t use the site or change your password until they notify you the problem has been fixed.

However, it is likely that most websites you use that require secure login may be affected. Here's what you can do to help safeguard yourself:

  • Check websites before using them. You can check the web address of a site to see if it is vulnerable to the Heartbleed bug here.
  • Change your passwords on all websites that you log on to, but first check that they’ve been upgraded to fix the issue. If unsure, contact the managers of any website you use to see if they have addressed the problem.
  • Watch your financial statements and report any suspicious charges.
  • Restrict your use of websites that use any of your sensitive data for a few days to allow IT managers time to patch vulnerabilities.
  • Get a password manager While IT managers are racing to repair the damage, users have to wait for notification so they can change their affected passwords, because changing a site password is only useful after the site has been patched. Using a password manager can make the process more manageable, as a password manager keeps track of all your passwords for you, securing them behind one single master password. Password managers also lets you more easily keep track of all your passwords in one place, changing them as necessary and even creating more secure password combinations for you.For more on password managers, see the CHOICE Password Manager software review.

More detailed information on Heartbleed can be found at the Heartbleed site.



Sign up to our free

Receive FREE email updates of our latest tests, consumer news and CHOICE marketing promotions.

Your say - Choice voice

Make a Comment

Members – Sign in on the top right to contribute to comments