3 Important Things You Should Know About Heartbleed
Password leaks and targeted attacks are nothing new and the latest security bug related to a massive loss of passwords across the world is ‘Heartbleed’. This bug has received a lot of media coverage over the last few days, so there is a lot of confusion about what it is and what one needs to do to fix the issue.
This blog post aims to help you better understand what Heartbleed really is and what you need to do in order to secure your presence online. Heartbleed has affected about 17% (close to 500,000) of the web servers across the world, so there is a high chance that you are affected by this too. With that in mind, here’s what you need to know now.
Fact # 1: What exactly is Heartbleed?
Heartbleed is a security bug that affects servers that use OpenSSL (Secure Sockets Layer) technology. When you log in to your email account, or make a financial transaction online, the server that hosts this activity is protected by the SSL technology, which is denoted by the symbol of the padlock near the address bar and the unmistakable presence of “HTTPS” as a prefix of the URL itself.
Heartbleed is a bug that afflicts this very protective measure and exposes information that SSL attempts to protect. What this means then, is that sensitive information like passwords, credit/debit card details and more are susceptible to this bug and can be stolen.
What this means is that there is nothing wrong with your PC or your antivirus software. This is an issue that needs to be dealt with by the people who run the websites that make use of SSL. Moreover, if you are surfing the Internet you will not be able to tell if a service you are using is affected by Hearbleed or not.
Fact # 2: Which websites and online services are affected?
While most of the sites that have been affected have taken corrective steps already, there are bound to be many more which are still working on it. If you use some of the following services then there is a high chance that your password and details may have been leaked.
|
|
Gmail |
Amazon |
SoundCloud |
|
|
Yahoo Mail |
Flickr |
YouTube |
|
|
|
Minecraft |
Wikipedia |
|
Tumblr |
GoDaddy |
Netflix |
Dropbox |
As you can see, the list is huge. There are several more services that have been affected, so the potential damage here is substantial.
This online tool can also help you ascertain whether a particular URL is afflicted or not. If you carry out online banking transactions, then we highly recommend that you change your account passwords. Also, check this tool to see if your bank’s online portal is affected by Heartbleed or not.
Fact # 3: What do you need to do?
While there is nothing specific that you can do to combat Heartbleed, one major precaution you should take is change ALL your online passwords right away. This will ensure that if any of the services you use have been afflicted by Heartbleed, then at least your passwords will be safe. Apart from this, stay alert about any unusual activity on your accounts. If you feel something is out of the ordinary, take the necessary corrective steps as soon as possible. Moreover, spread the word about Heartbleed and inform your friends and family members as well.
WARNING: Be on the lookout for fake password reset emails
With such widespread activity occurring simultaneously with regards to password changes all over the world, this is bound to lead to several phishing emails about password resets. Be on the lookout for such emails and stay away from fake emails that ask you to change your passwords. Read here for some tips on how to recognize fake phishing emails.
Quick Heal will keep you updated about any further developments and news regarding Heartbleed, so keep checking back for more information.
144 Comments
nice…
Dear sir,
Thanks for giving precious information about changing passwords. Please advise whether banking account passwords are to be changed or all the passwords including passwords for email accounts are to be changed.
Hi SPS Bindra,
It is advisable to change all the passwords – email accounts and banking accounts. It is not yet known if banking accounts are affected, so it is better to change them so as to be safe.
Thanks and regards.
Can the password be hacked during changing them as well??
If yes, what process should be followed while changing them??
Hi,
No the passwords cannot be hacked while changing them. You can safely change them.
Thanks.
thanks for your information
Dear Mr. Rahul Thadani,
It’s not advisable to change all your p/words in one setting!
Crucial first, others say in 10/15 days.
I change my banking p/word et al; in one setting, what guarantee
that my bank’s server is not infected? In the event my machine is
infected how do i know? Quick Heal will highlight it? Delete/repair!
What next?
How many servers including twenty odd mentioned by you – by name – have informed it’s users of the re-issuance of site certificate for their upgraded servers? That it has right version of Open SSL/TLS!
The bug has been around for last two years or so. Neel Mehta, Google security researcher & Codenomicon, Finnish security firm, discovered it on Monday April 8. Is a coincidence that since April 8, Windows XP patches will not be available & all are required to upgrade to Windows 8 & i’m expecting in abt a year’s time Windows 9.0 will debut thereby Win8 will be redundant.
A wide array of distributions uses the cryptographic library, 66% of the world’s servers. There are online site checkers but not 100% accurate.
The bug – Heartbleed – CVE 2014-0160- [common vulnerabilities & exposures] can potentially leak 64 kbs of memory – single heartbeat. The attackers use from any server OpenSSL version 1.0.1, 1.0.1f, 1.02.beta, 1.o.2beta2, can read through the memory of the machine on the internet protected by the vulnerable software.
Regards,
Hi Vinay,
Thanks for your valuable insights and points. It is a coincidence that Heartbleed and Windows XP EOL came about at approximately the same time. But then again, nobody can say that for sure. However, with such a bug it is better to go through the trouble of changing passwords every once in a while, rather than risk keeping them the same and having them exposed to malicious parties.
Your points about Windows platforms are true as well. Nonetheless, this is something all users and software manufacturers have to live with. Do write back with further feedback if you have any.
Thanks and regards.
good
Thanks…
Very important and helpful information.
This is really very practical and real time warning which your esteemed institution has given its users. Will surely help.Another issue is that the financial institutions in consultation with ITES providing Anti-Virus solutions have mandatory obligation to protect their customers and clients.
Thanks & Regards,
Lt Col Sandeep Singh Bajwa.
Very rightly guided by you.Thanks.In future always guide like this.
Very rightly guided by you.Thanks.In future always guide like this
super
Thank you Quick Heal for such an important piece of Information.I hope you guys will always try to keep us safe.I am earnestly looking forward for a newer updated article.
thanks! I’ll change my passwords right away.
The information was really helpful. Keep me updated.
Good one
It’s very useful
Thanks a lot for getting us updated.
Thank You For posting this information.
Its very useful for us.
thanks sir
Thanks for information
Useful
Thank you for precious information.
Thanks for the info.
Is mobile browsing at the same risk level as Laptop/PC browsing?
Hi NV,
Yes, mobile browsing carries the same risks as laptop/PC browsing. Heartbleed is a bug with regards to the SSL security that websites use. So irrespective of where you access the site from, the risks are the same.
Hope that helps.
I have found some “heartbleed” folder in my windows 7 and deleted that. I have not marked exact location though. I am not confirmed that it was vulnerable or good. I have just deleted that folder. Please check your system folders carefully.
Thank you for this precious information
its really helpful attention…..thanks a lot…
Thanks for the useful information.
Thanks for the timely usefull info, will change the passwords asap.
Is it safe with Quickheal ? Does Quickheal support the safety of my PC from this virus?
Hi,
As mentioned, Heartbleed cannot be controlled from your PC’s side. The host server needs to ensure that their data is secure by plugging this security bug.
Thanks.
Thank You For This Precious Information.
thanks
Suppose we change our bank a/c password, is not possible that the new pass word also gets theft? Then what is safety?
Hi Hasmukhrai,
There is no ideal frequency for changing passwords. It all depends on how many different devices you access your accounts from and what their security levels are like. Online banking account passwords usually need a change once in 6 months, but for other accounts it is quite safe to continue using the same password, as long as it is a good one.
Thanks.
sir please tell,how we can be safe by changing our password because it chance again may be leaked…….and to change password always its impossible….so give proper measure to overcome this problem……
Hi Amit,
Unfortunately, when such leaks happen, it becomes necessary to change passwords. So all we can do as users of such services, is to change passwords when these leaks occur.
Regards.
Thanks Quick Heal for this information.
Thanks
Congratulation quick heal, really you have given a very very useful information.Thanks for your support.
Thanks a lot for this important information.
thanks a lot
Thank you for Information
Thanks
People use their intelligence wrong way
Wish this intelligent people use their knowledge in a better way
God guide them on right track
thanks, keep informming me about the latest news on this topic
please tell me the frequency for changing the password/s because itis really difficult to memorise every changed password. my netbanker has stipulated changing password evey six maonths(SBI NET, protected with VERYSIGN). also keepa dvising about the latest info. thanks.
Hi Ravindra,
There is no ideal frequency for changing passwords. It all depends on how many different devices you access your accounts from and what their security levels are like. Online banking account passwords usually need a change once in 6 months, but for other accounts it is quite safe to continue using the same password, as long as it is a good one.
Thanks.
If I change the password now while the site is still affected, is it not possible that the bug would steal the new password too?
Hi Anup,
Ever since Heartbleed has been exposed in the public domain, all the major sites have been working to rectify the issue. With the amount of time that has now passed, it is safe to assume that most sites would have fixed this. If not, it would severely hurt their consumer base and their credibility. So, you can safely change your passwords now.
Thanks.
Grateful to the QHT that had given this vital information and thanks to their R&D team who taken pain to diagonise this virus…….with regards
hi,
pl guide abt the online tool …u have given link to, in your article….
It shows some other website..\
regards
Hi Hema,
It is fine to use this tool to check for Heartbleed.
Thanks.
Thank You For Your Precious Advice.Is There Any Software Which Can Protect Our PCs Against Heartbleed?
Hi Harshit,
There is no need for a software to protect your PC from Heartbleed. This is a security loophole in the host server so it is out of your PC’s domain.
Thanks.
good
very good useful information
Hats off for such a superb information. Keep it up!!!
thanks
sir
I m using Xperia C, it refuses to respond and screen goes black, ring comes and I m able to receive call only with idea what may b the reason.
Thanks
Hi Sachin,
To solve your issue, you are requested to call our support center on 0-927-22-33-000. Or visit this link to submit a ticket – https://www.quickheal.com/submitticket.asp. Our support team will help you rectify this issue immediately.
Thanks.
Is it necessary to change the 3D security number of credit card ?
Hi Sukomal,
Can you please elaborate on the question? Are you talking about the 3-digit security PIN at the back of the credit card? This number cannot be changed as it is unique for your credit card number. Moreover, it does not need to be changed as well.
Thanks.
Dear Rahul,
How do we know which website has been inflicted by Heartbleed?
Best
Anupam
Dear Anupam,
The link that is provided in the blog post allows you to check if a website has been affected or not.
Thanks.
good awareness/knowledge
but can you tell me all these host’s Database are 100% Infected or not and how can this bug work :-
Facebook,Gmail,Amazon,SoundCloud,Instagram,Yahoo Mail,Flickr,YouTube,Pinterest,Google,Minecraft,Wikipedia,Tumblr,GoDaddy,Netflix,Dropbox
Dear Hari Prasad,
Most of these hosts would have resolved the issue of Heartbleed by now, as their market value and credibility depends on that. This bug opens up the servers of these hosts and potentially exposes passwords that are stored on them.
Regards.
If the services are affected we are not able to detect the bug. In such situation, how much is it safe to reset the passwords of affected services ?
Hi Dr. Bipin,
Ever since Heartbleed has been exposed in the public domain, all the major sites have been working to rectify the issue. With the amount of time that has now passed, it is safe to assume that most sites would have fixed this. If not, it would severely hurt their consumer base and their credibility. So, you can safely change your passwords now.
Thanks.
is there any app to protect from Heartbleed for my phone
Hi Prashant,
What OS and version do you have on your phone? As of now, only Android 4.1.1 seems to be vulnerable.
Thanks and regards.
4.2.2 android
how safe is the online tool..if it is not from quickheal.
wont we be leading them to sites which are missing from the hackers files and yet to be infected.
al
Hi,
The online tool is safe. It merely allows you to paste a link of a site and tells you if it has been affected by Heartbleed or not.
Thanks.
Thanku for information
thnku
thnks
thanks
A very timely and effective information. Thanks.
Sir, kiske password change karu.
Dear Ganga Ram,
It is advisable to change passwords of all online services and accounts that you use.
Best regards.
There is a problem with my friend’s laptop. When ever she tries to use g-mail, google,youtube or any other google related websites, it shows this error
“CANNOT CONNECT TO THE ACTUAL G-MAIL WEBSITE. SOMETHING SEEMS TO INTERRUPT YOUR CONNECTION WITH G-MAIL. SO THIS RESTRAIN HAS BEEN PUT DOWN FOR SECURITY REASONS. PLEASE TRY REFREASHING PAGE AND TRY AFTER FEW MINUTES.” And “SSL Error” is written on her tab. she is facing the problem since 15 days or so .
Even her facebook page is not the usual one that we use, it is the crude one (seems her facebook is also affected).Please guide some solution to this.
Hi Shritama,
It seems this PC needs to be scanned with a proper software to look for any malware or dangerous applications. We would recommend that your friends installs a trial version of Quick Heal via this link – https://www.quickheal.co.in/download-free-antivirus. Once that is done, running a full scan would help. Moreover, she can then call our support center and speak to our technical experts who could solve this issue.
Hope that helps.
Thanks and regards.
Thanks
Very nice n useful to every one
Very important to every one
Nice one
Useful to every one
Amazing one
Important one
Very useful
Do you have any idea about Origin of The Bug?
Hi Prasoon,
A team of researchers working on OpenSSL actually created this bug due to a mistake in their coding structure. We believe this team operated out of Germany at the time.
this program not update…..
Hi Ashish,
Can you elaborate what program you are referring to?
Very useful.
Thanks for the security update, however I have a query kindly correct if wrong. As updated to change all the passwords, however how often to change those? because aren’t the changed passwords vurnerable to Heartbleed attacks.
Hi Amit,
Ever since Heartbleed has been exposed in the public domain, all the major sites have been working to rectify the issue. With the amount of time that has now passed, it is safe to assume that most sites would have fixed this. If not, it would severely hurt their consumer base and their credibility. So, you can safely change your passwords now.
Thanks.
fine…thax
It is sad to see that most Indian banks do not allow their clients to include `special characters’ in the password field. Such a password in tougher to crack. Apart from that,they only permit a maximum of eight characters for passwords.
Qudos to
Mr Rahul Thadani and the Quickheal group for the timely update and competent guidance. Surprisingly Quickheal has not been the antivirus software of choice of majority of corporates for their servers. How I wish they would be updated in time. Thanks again.
Thnks for the information
Using QH since 2 years
Fantastic Experience
Thanks
Dear sir, Changing of Password related towards financial transaction or all to be changed from heartbleed ? plz advise me
regards
bhaskar
Is my PC affected? How to identify?
Hi Bhalchandra,
This issue does not affect individual PCs. It affects the online servers of major services and websites. So you need not worry about your PC.
Thanks.
Thanks. You have provided very use full information.
After installing Quick heal..screwed up my laptop…getting restarted frequently while working…sm driver error with a blue screen.
Wish I had trusted on win 8.1 defender..
Hi Vikas,
We deeply apologize if Quick Heal has caused some issue on your laptop. However, since it works smoothly on almost all laptops, we request you to give us another chance. If you can call our support center on 0-927-22-33-000 or submit a ticket on this link – https://www.quickheal.com/submitticket.asp, we will resolve your issue immediately.
Thanks and regards.
Thanks for guidance and hope we will be promptly informed with your priceless effort. Thanks.
nice tip
Very useful information. No more confusion about Heartbleed.
Thank you very much.
it’s very nice.i liked it.Useful for evryone.thankyou for information.
Thanks for giving this type of info……….
Nice……….
Will the Bug affect while passwords are being changed?
Hi,
Ever since Heartbleed has been exposed in the public domain, all the major sites have been working to rectify the issue. With the amount of time that has now passed, it is safe to assume that most sites would have fixed this. If not, it would severely hurt their consumer base and their credibility. So, you can safely change your passwords now.
Thanks.
Sir,
On my PC the date and time changes automatically again and again, i doubt if it this related to Heartbleed,or if not please tell me why?
With regards
Sri
Hi Sri,
How old is your PC? When a machine has been used for a long time, the CMOS battery needs replacement as it keeps resetting the date and time. This could be one possible cause here. Can you let us know further details?
Thanks.
Well Sir,it was bought in 2010 and yes sir i use it quite frequently,so what should i do about”CMOS battery”,i mean how can i replace it?and sir i’m can’t quite understand what do you mean by further details please can you list them i mean is it like the company name or anything?
Thankyou for answering!
Sri
Hi Sri,
Well you would need to visit a computer repair store and ask them to check the CMOS battery. They would be able to do so and provide a replacement. Alternately Sri, recommend you to call our support center on 0-927-22-33-000. They will be able to assist you with this issue.
Wish you the best.
Thanks and regards.
Thanks!
we also need to change ATM card pin ?
Hi Nitin,
No you need not change your ATM PIN as that is not related to Heartbleed.
Thanks.
Hi Rahul.
Appreciate the Quickheal advisory on this important issue. I feel happy that our company has trusted Quickheal year after year to provide the best possible anti virus protection.
Hi Raj,
You are most welcome, and we are glad to be of service.
Best regards.
Isn’t there a risk while changing the password?
The changed password can also be hacked by heartbleed right?
Hi Mayur,
Ever since Heartbleed has been exposed in the public domain, all the major sites have been working to rectify the issue. With the amount of time that has now passed, it is safe to assume that most sites would have fixed this. If not, it would severely hurt their consumer base and their credibility. So, you can safely change your passwords now.
Thanks and regards.
Excellent. And thanks for the alert. Definitely me to will pass your information to as much possible.
my quick heal security every day shown as unsecured after starting PC but after restart , PC shown as secure for few hours then same problem shown as previous ..so how to solve this problem ..plz explain ..
Hello M S Pandit,
Kindly contact our customer support center on 0-927-22-33-000. Or submit a ticket at this link -> https://www.quickheal.com/submitticket.asp. They will help you resolve this issue immediately.
Best regards.
Nice advice
thanks sir,for the alert….I will take the right steps.
Hi
It is very good suggestion as well as effective.
Thanks
best antivirus N.1
Useful information. Thanks.
most helpful message ,to all users ,thanks
The information was really helpful. Keep me updated.
Sir, My PC virus infected by one kind of virus that no antivirus can scan it because it was .exe and .ink file and it directly affected on installer common shell. so i worried about this much. but I had trick solve that completely remove or uninstall my quick heal antivirus pro and reinstall it and got update by internate and what happened that bloody virus had scan this time and after scanning was completed I had been prompt sent this virus to quick heal lab and i did that.
Hi Santosh,
So you are saying that the virus has now been detected by Quick Heal? If so, then thank you for the feedback and the trick.
Best regards.
Hi
I am using my Quick Heal Antivirus but i m getting problem to update it always. why plz tell me and also give the solution.
Hi Amarendra,
In order to resolve this, we recommend that you contact our technical support team. They will be able to help you out the best. You can contact them on 0-927-22-33-000. Or you can also submit a ticket by visiting this link – https://www.quickheal.co.in/submitticket.
Regards.