Consumer, Consumer Threat Notices

The Heartbleed Vulnerability: What It Is and How It Affects You

52
By on Apr 10, 2014

NOTE: McAfee has released a Heartbleed Checker tool to help consumers easily gauge their susceptibility to the potentially dangerous effects of the Heartbleed bug. You can access the tool at: http://tif.mcafee.com/heartbleedtest

===========

Many of you may have been hearing the term “Heartbleed” over the past few days and wondering what exactly that is, and why people are so concerned about it. Well, Heartbleed is the name of a major security vulnerability that may affect nearly two-thirds of websites online. It’s a severe situation potentially exposing your login information—your username and password—and other sensitive information about you.

What is Heartbleed?

It is important to understand that Heartbleed is not a virus, but rather a mistake written into OpenSSL—a security standard encrypting communications between you, the user, and the servers provided by a majority of online services. The mistake makes it viable for hackers to extract data from massive databases containing user names, passwords and other sensitive information.

What Should I Do?

The first thing you need to do is check to make sure your online services, like Yahoo and PayPal, have updated their servers in order to compensate for the Heartbleed vulnerability. Do not change your passwords until you’ve done this. A lot of outlets are reporting that you need to do this as soon as possible, but the problem is that Heartbleed primarily affects the server end of communications, meaning if the server hasn’t been updated with Heartbleed in mind, then changing your password will not have the desired outcome.

How Do I Check For Heartbleed?

Mashable has a list of popular websites affected by the Heartbleed vulnerability. You can view that list here, but keep in mind that this list is not comprehensive. If you’re concerned that a website you frequent has been compromised, you can check by using McAfee’s Heartbleed Test Tool. If a website pops up as compromised, that means its hasn’t been updated and that you should wait to change your password.

Services, too, ought to be sending emails to you over the next few days telling you they were affected by Heartbleed and have since updated their servers. When you get these emails you should go and update your password. But beware: this is a prime time for phishing attacks—attacks which impersonate services in order to steal your credentials—so be extra careful when viewing these messages.

You can detect a phishing attack by poor grammar, suspicious graphics that don’t quite fit the company, and emails asking you to enter your password and username. Some services affected by Heartbleed will have automatically logged you out. Some may have provided you links to change your password. In order to protect yourself from phishing attacks, do not click on those links. Instead, manually head to the website yourself, log in and then change your password.

A Deeper Look at Heartbleed

To understand what Heartbleed does, we need to explain what SSL is, and by extension, what OpenSSL is and what it does.

SSL is shorthand for Secure Sockets Layer—a security standard allowing information to be securely transmitted between you and a service without the threat of a third party intercepting information. OpenSSL is simply an open-source (read: non-profit) project updated and maintained by volunteers with the input of a knowledgeable community of programmers.

For SSL to work, your computer needs to communicate to a server. To do this, it sends out what’s called a “heartbeat.” What a heartbeat does (other than fathering the name of this vulnerability) is send a specific signal to a server in order to see if that server is online. If the server is online, it sends that signal right back to your computer, allowing you to enjoy secure communications. Both your computer and the server send out heartbeats on regular intervals to make sure both you (the user) and the server (the service) aren’t offline.

Heartbleed takes advantage of this “heartbeat” by sending a malicious heartbeat signal to servers. That malicious heartbeat essentially tricks the server into sending a random chunk of its memory back to the user who sent the malicious heartbeat. Contained in that memory can be a random collection of email addresses, usernames and passwords. Some of those credentials, worryingly, could belong to the company managing that server. This provides hackers with a way of accessing and exploiting information throughout the Internet.

The severity of this vulnerability cannot be overstated. Major enterprises regularly employ OpenSSL, which was traditionally considered to be one of the most secure means of transmitting data. Again, the best thing you can do to protect yourself is to determine which sites you use are affected (through one of the tools listed above), and change those account passwords.

Here are some tips for changing your password:

  • Create unique passwords for every site you use. Every password you use should have a minimum of eight characters containing letters, numbers and symbols. Each site should have its own unique password. Try not to duplicate passwords on multiple sites. This is the bare minimum.
  • Use a password manager. Using a password manager is becoming less a matter of convenience and more a matter of security. It’s difficult enough to remember if you locked your door this morning. Remembering unique passwords for every site is nearly impossible. Password managers can do this for you. Additionally, they can protect you from malicious software that records your keystrokes and, by extension, your password.
  • Enable two-factor authentication. Two-factor authentication is a security technique that requires you to have something you know, like your password, and something you possess, like your phone. Not all websites have this security technique in place, but if they do, you should enable it. It’s an effective way of protecting yourself from being hacked.

Again, this vulnerability’s severity cannot be overstated. For the protection of your data, you need to assume that your credentials have been leaked through Heartbleed and change your passwords accordingly.

To keep up to date with the latest in online security, and for more information on the Heartbleed vulnerability, follow us on Twitter at @McAfeeConsumer and Like us on Facebook.

Gary Davis

52 Comments

  • G

    What SSL had the defect and what SSL version should we be using?

  • I just downloaded McAfee Internet Security and was given a serial number to input upon the downloading process. This is not a step that I’ve normally had to do in the past. Is this a new procedure? Just want to ensure that your site hasn’t been compromised. Thanks for your attentiveness.

  • Diane Blanarik

    I believe I am infected on my main computer. I purchased a new version of McAfee and now I cannot get into IE and all web pages are blocked giving the reason Family Protection will not allow entrance. HELP!!!

  • Paul

    Bob
    April 13, 2014 at 5:02 pm

    Can’t Mcafee’s tool separate ‘not using ssl’ and ‘other issue prevented scan from completing’ in the ‘Vulnerability not detected outcome?’ Doesn’t seem like one can be confident if this outcome results from the scan.
    I agree with Bob ‘s statement above, I’ve tried running all the financial websites I access thru the heartbleed test tool and everyone comes up as Vulnerability Not Detected.
    Any suggestions?

  • I am confused. What is my URL and/or IP , I have no idea where to look for these. Thanks for your input, jrvt

    • McAfee

      Hi JRVT, your URL is the link that displays when you visit a website (i.e. www.mcafee.com). Your IP address is numerical value assigned to your computer based on your location. You can find your IP address here: http://whatismyipaddress.com/. Hope this helps.

  • Hello,
    I followed all the rules McAfee provided at this page and regarding Heartbleed vulnerability.
    I am for years a subscriber of McAfee AntiVirus Plus software.
    In the article provided by Yahoo News there is a suggestion to install so called "Chrome browser plugin" offered by BGR
    Is this really necessary if I have McAfee full protection and active monitoring programs and also do more frequent than scheduled McAfee full scan of my computer?
    I would appreciate your answer,
    Thank you,

    GIERDAS

    • McAfee

      Hi Gierdas, thank you for your loyalty to McAfee! You do not need to install this Chrome browser plugin if you have the McAfee AntiVirus software installed. The purpose of the plugin is to alert you when sites you visit have been infected by Heartbleed. We also have a tool available to help notify you of which sites are vulnerable, you can find it here: http://tif.mcafee.com/heartbleedtest.

  • Terry

    Can the code for the test be downloaded? We need to check addresses that are internal

  • Have enjoyed your services since ’09. I have gotten excellent service and feel secure with you "watching out" for me as I roam the internet for Genealogy research! The articles I have been reading are very clear for a novice like me. Keep it coming!!!

  • Chadwyck Chung

    It took me forever, but all my passwords are up-to-date! So many people’s social insurance numbers have been compromised since Friday because I think the media put this information on television too quick before the patch could get applied. Over 900 Canadians were affected when they filed for income tax. From that point, I made sure that everything was changed.

  • When I click on the tool to check websites:

    http://tif.mcafee.com/heartbleedtesthttp://tif.mcafee.com/heartbleedtest

    It brings up a "This page can’t be displayed" message. What gives?

    B.

    • McAfee

      Hi Bryan, The tool should be working properly. Please try clearing your cache if you’re still having an issue. The link is: http://tif.mcafee.com/heartbleedtest. Thanks!

  • Rob Lilly

    Thank you for the informative message concerning Heartbleed and OpenSSL. However, I recently read an article titled Heartbleed from Wikipedia which noted: "In addition, the Common Vulnerabilities and Exposures database, associated with the US Department of Homeland Security, advises that the following companies have had their software/products affected by Heartbleed: – McAfee and in particular some versions of software providing anti-viral coverage for Microsoft Exchange, software firewalls, and McAfee Email and Web Gateways" Is this statement true? If so what measures have you taken to mitigate the risk to customers?

    • Gisela

      I had the same problem and found out my browser was hijacked. The virus software did not help, I had to install a separate spyware removal system.

    • McAfee

      Hi Rob, ensuring customer privacy is one of our top concerns. Upon learning of potential issues with vulnerable OpenSSL, McAfee began working to identify which products use the vulnerable OpenSSL versions in order to replace them with the fixed version. Product updates will be released as updates become available on a per-product basis. Please see our security bulletin for more info: https://kc.mcafee.com/corporate/index?page=content&id=SB10071

  • My computer has been acting strange for a couple of weeks. I was doing something on line and I got this notice to down load a program that allowed me to watch on line videos. In the process of down loading it I decided not to do it but my computer is acting strange. When I go to an on line site I get redirected to a different site. I have to keep canceling the redirection. I had Macfee scan my computer and they found no vires but something is wrong. Would you have any ideal what is going on with my computer. I do believe I have a virse even none are detected. Thanks.

    • McAfee

      Hi Virgil, Can you please email social@mcafee.com with your email address, time zone, and issue? We will help make sure you get this issue sorted out. Thanks!

  • Bob

    Can’t Mcafee’s tool separate ‘not using ssl’ and ‘other issue prevented scan from completing’ in the ‘Vulnerability not detected outcome?’ Doesn’t seem like one can be confident if this outcome results from the scan.

  • Max Kaufmann

    This is exactly why I will remain with mcafee forever. Thank you so much for this information, and actually caring about your customers.

    Max
    Clifton, ME.

  • An excellent article, I was able to learn a lot about Open SSL and the Heartbleed problem.

    Thank you.

  • How do we know we are in danger.
    How can we protect ourselves from being affected

    • McAfee

      Ann – check out our free Heartbleed Checker tool at. www.mcafee.com/heartbleed to see if the sites you go to are vulnerable.

  • Rae Coe

    Thank you very much for such an extensive and understandable explanation of the heartbleed vulnerability, the risks, and the neat practices. I especially appreciate the proactiveness!

    • McAfee

      We’re glad this was able to provide an easy to understand explanation for you. If you like this, you can follow us on Twitter @McAfeeConsumer or like us on Facebook (www.facebook.com/mcafee)

  • P GABBERT

    just TY, McAfee !!!! appreciate the info about the HB virus

  • John Parr

    You advise using a password manager – such as?

    • McAfee

      John, McAfee has a password manager included as part of our McAfee LiveSafe product. You can find more information at www.mcafee.com/livesafe.

  • Ben Leigh

    Thank you for providing this valuable tool to protect me on the internet!

  • Steve Williams

    Great job guys! Thanks for the e-mail and info. I will be renewing my subscription soon.

  • Judy Kellogg

    Thank you for this information.

  • Mel

    What. Is a password manager and where do I find one?

    • McAfee

      A password manager is a tool that will help you create strong passwords as well as remember them for all your sites, so you just have to remember one password. That way you can have long and strong passwords for all your sites, but don’t need to have them written down or memorized.

      McAfee has a password manager that is included with our McAfee LiveSafe product. You can find out more about this at www.mcafee.com/LiveSafe.

  • Have already been attacked with phone calls from India under Microsoft updates?
    But you seam to handle the threats OK, thank you! Ken Taylor.

  • Virginia Anderson

    THANK YOU! Most of my services have said nothing, zero, nada, zip, and so it’s really great to have McAfee communicate and share lists and tools.

    • McAfee

      You are welcome! We recommend you use our tool if you have any sites that you are unsure about the safety. Our tool is at www.mcafee.com/heartbleed

  • How do I look after myself and find out if my iPad is safe will McAfee look after me and check if my iPad is safe thanks for your
    email all the best Mel.

    • McAfee

      Your best best is to use our tool to see if the sites you visit are affected. You can find our tool at www.mcafee.com/heartbleed

      If you have questions about the device itself, we recommend you contact Apple.

  • Margaret R. crotts

    I thank you for the warning of heartbleeed

  • Frances OMalley

    I received a message that said it was sent by McAfee and I changed passwords for a couple of websites. Was this a false alert? I am a senior and am very worried that my computer has been compromised. McAfee keeps sending a pop up that false alert has been detected. Is there anything I should do?

    • McAfee

      Frances – can you send us an email to social@mcafee.com with your email address so we can have our support team help you? Thanks!

  • I have never heard of such a program or whatever. How would one go about getting a manager. I have used my same password for almost everything I have and am not sure how to change a password in many of my sights. I really don’t know how to change my password for my log in. I have tried to find a way but I am not able to do it. Can someone assist me or would password manager do this? Thank you in advance. CMB

    • McAfee

      McAfee has a password manager that comes with our McAfee LiveSafe product, which you can find out more about at www.livesafe.com. Our password manager, will not only help you remember all your passwords but help you create strong ones.

  • PRAMILA SAGGI

    Thank you for the information, my computer is very slow and out dated , I have a ipadi which I use more but is connect with my computer.

  • Joyce Williams

    Thanks for the warning. I will beware.

  • Thank you for warning me of this pest I will keep a watch.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>