How To: Drop Everything! Here's How to Secure Your Data After Heartbleed: The Worst Web Security Flaw Ever
This time it's serious. Really.The largest web security vulnerability of all time went public on Monday, April 7th, 2014, resulting in widespread panic throughout the Internet as system administrators scrambled to secure their websites from the OpenSSL bug known as Heartbleed.This bug is so bad, it not only breaks encryption, but causes affected servers to spit out all kinds of personal information, from user passwords, to credit card numbers and e-mail addresses, and even the private keys that make HTTPS encryption work in the first place.Even worse, Heartbleed leaks all of this information without leaving any trace whatsoever. If you used the Internet at all, especially during the past week, chances are this bug has affected you in one way or another.
What Exactly Is OpenSSL Anyway?OpenSSL is an open-source SSL (secure socket layer) encryption library used by hundreds of thousands of secure websites. Everything from banks and email, to Amazon and Google rely on it to keep your connections encrypted.You probably know it by the small lock symbol in your address bar, or the "https" (compared to just "http") you see at the beginning of a website's URL. It is used by almost two-thirds of the internet to secure the transmission of personal information from web applications, emails, instant messaging, online shopping, and even some VPNs.The Heartbleed bug gives cyber criminals, hackers, and since Monday, curious bystanders a wide-open door to much of the private information we all thought was secured by SSL.
So, How the Heck Does All of This Work?When your computer is setting up a secure connection with a website, some applications send a signal (or a "heartbeat") to the site's server through SSL. The heartbeat works by sending information to the server, which the server then sends right back in order to show that the connection is secure and working properly.Applications can send a heartbeat using whatever arbitrary message they want, of whatever length they want (up to 64 kilobytes), and then check to make sure the response from the server is equal to what they sent.For example, if the heartbeat consisted of the word BASED, which is five characters long, the application would tell the server "here's a five-character long heartbeat. It's value is BASED." The server would then receive the heartbeat request, and return the word BASED as a five-character long response.
So What's the Problem?Due to the flaw in OpenSSL's implementation of this heartbeat, a giant leak was opened up. In short, the server wouldn't verify that the message sent was the length the application said it was, resulting in the server responding to malicious applications with an arbitrary amount of data that was left over in server memory. That memory could (and often does) contain sensitive information.So, let's say the heartbeat being sent from your computer consists of the word BASED again, but this time the application tells the server that the information being sent is 64,000 characters long. Obviously this is not true, as the word BASED only contains five characters.Once the server receives this information, instead of checking to make sure the message sent matches the stated length, it simply sends back the word BASED along with a total of 64,000 characters of whatever happens to be in memory after that point, in order to satisfy the request for a 64K heartbeat. As for the supplementary information contained in those 64,000 characters? Well, it can include private information, such as usernames and passwords for email, banking, and social media accounts. Worse yet, the private keys that keep SSL safe in the first place.All the hacker needs to do is create a script, which could then do all the dirty work and grab information. In fact, many such scripts are now floating around the internet and are so simple to use, that your computer-savvy little brother could be using it. Worst of all, you wouldn't even know they did it, as this exploit leaves no traces behind.XKCD's latest posts sum it up quite well. Image via xkcd.com xkcd on Heartbleed Image via xkcd.com xlcd Explains Heartbleed
Which Sites Were Affected?While the majority of websites across the internet that offer encryption and run on Linux were susceptible to this flaw, some were late to the party to fix the issue, which has since been remedied with an update to OpenSSL.Out of all the victims, Yahoo got hit harder than most other sites because they were so late to patch the Yahoo Mail servers, exposing many of their user's passwords for more than 24 hours.While some major sites and services like Google, Akamai, CloudFlare, and Facebook were warned ahead of the public disclosure, most have been scrambling to patch their servers as quickly as they can.Other popular sites that were affected by the Heartbleed bug included Instagram, Pinterest, Tumblr, Intuit, Dropbox, Minecraft, Imgur, Flickr, RedTube, OkCupid, and XDA, but all have been patched now. However, this does not mean that all sites on the web have been fixed, or that your data wasn't compromised before they were.This bug was introduced into the OpenSSL source code over 2 years ago. Because exploiting it can be done without leaving a trace, it's safest to assume that all our passwords have been compromised.The programmer who introduced this bug has denied conspiracies that this flaw was intentional, but even so, it's very possible that the NSA's cryptographers (as well as those of other governments) had silently discovered this bug earlier on and have been using it to intercept sensitive communications.
How to Protect YourselfIf you've used your computer since Monday to log in to banking sites or check your email, there's a very high chance that your passwords have been stolen, even though most banks state they weren't susceptible to this bug. If you've logged into any secured site in the past two years, it's safest to assume the same. Please enable JavaScript to watch this video.
Step 1: Don't Visit Websites That Are STILL VulnerableYes, there are still sites out there that are vulnerable, either because they don't know about the bug yet, or haven't been able to patch it just yet. To check if a website is currently susceptible to the Heartbleed security flaw, head over to the Heartbleed checker and type in the full domain name of the site in question. If you see anything other than the red note stating the site is vulnerable, then it's safe. Either the site has already been patched, or was never susceptible in the first place. And just for the record, WonderHowTo was not affected, so don't worry.If you do see the red vulnerable message, DO NOT VISIT THAT WEBSITE AND DO NOT TRY TO CHANGE YOUR PASSWORD YET. Doing so would only increase your chances of having your information stolen.
Step 2: Change All of Your PasswordsThis is not a drill. Once you've verified that a site is not vulnerable using the link above, visit it and change all of your passwords. This is especially important for Yahoo users as knowledge of their vulnerability became widespread on Monday and Tuesday. Here are a few tips to use when creating your new passwords:Use passwords that consist of eight characters or more that contain special characters, like any of the ones that live on the number row of your keyboard. Do NOT to use the same username/email and password combination for multiple sites. If someone hacks into one of your accounts, they'll be able to hack into ALL OF YOUR ACCOUNTS. Which brings us to our most important step...
Step 3: Use a Password ManagerFace it. You can't remember all of these passwords. Nobody can. It's time to get your self set up with a secure password manager application that will lock everything down for you. The good news is there are some very trustworthy options available. We like LastPass and Dashlane the best. Both consist of web browser plugins that replace your browser's very insecure password manager, encrypting them with a master password that is never stored anywhere.That's right... Your master password never leaves your computer. It's used to generate a strong private key that encrypts and decrypts all your data locally, before ever sending anything online. Even if someone were to hack your computer—and the LastPass or Dashlane servers—they still wouldn't be able to get your passwords without your master password (which is never sent over the internet).We found Dashlane to be the easiest to set up and use as it grabs all your currently saved passwords automatically, but its pro version (which securely syncs encrypted versions of your passwords across Macs, PCs, Androids, iPhones, and iPads) is a little more expensive than LastPass.LastPass is powerful, but does occasionally get confused about what your current password is when you go to change your passwords. Again, they offer a free version, but you have to pay for the pro version to sync with your mobile phone. Still, at $12/year, there's really no excuse. Frankly, I'd be far less inclined to trust them if they didn't charge for the service.
How to Use DashlaneThe good news is, it's so easy, you won't need a tutorial. Just head over to their website and install the software. It'll walk you through everything, automatically pulling in and encrypting any saved passwords from all your web browsers.The biggest reason why I prefer Dashlane is if you forget your master password—tough luck. That is the only key to your data. There is no way to override it.That said, the premium version that syncs across your various computers, tablets, and phones is a little more expensive at $30/year, so LastPass's free version is going to be your best bet if you're allergic to spending money.
How to Use LastPassDownloading LastPass on your Windows or Mac is pretty easy. Just head over to the LastPass website and download the version specific to your PC.Once it's downloaded, you'll be asked to create an account for LastPass. All you need is an email and a good password. Once that's done, make sure to have all of your web browsers closed because installing LastPass will automatically close & re-open them. Install and proceed when ready. There will be slightly different ways of setting up the program depending on the browser you use. Below, you can see LastPass being installed on Chrome as an extension, which is simple enough to do. The Chrome extension will then create a LastPass icon at the far right of the address bar. Tap on it and log in with the credentials you entered earlier in the installation stage. Now feel free to log in to any one of your banking, email, or social media accounts. In the login boxes, you'll see two small asterisks indicating that LastPass is at work, ready to securely encrypt your passwords using your master password. Your web browser will ask if you want LastPass to remember this password and username combination for the future. If you select yes, it will redirect you to the LastPass settings. All of the information will be filled out automatically, so just click "Save" at the bottom when you're ready. You can also change the password for this specific account here. If you tap on the LastPass icon in the address bar, you can check out the following:LastPass vault Sites that you've secured through LastPass Forms (info, credit cards) that you've filled out and saved Generate a random password Encrypted notes It took me about five minutes to set everything up, and I suggest you do the same.
What if You Lose Your Master Password?If you forgot your master password for your LastPass account, not to worry. You can simply get an email sent with a temporary password to log in, where you can then enter a new one. This peace of mind may be helpful to some, but the fact that this data is recoverable without a master password leaves me a little uneasy.
Step 4: Clear Your Browser's Stored PasswordsOnce you've safely locked down all your passwords in your new password manager, it's very important that you don't forget to clear the passwords your browser has saved. Many people don't realize this, but today's modern web browsers (with the surprising exception of Internet Explorer on Windows 8) still save unencrypted copies of all your "remembered" passwords in plain text. Here's how to clear them (and see them).
In FirefoxClick the "Firefox Menu" Click "Options" or "Preferences" Click the "Security" tab Click "Saved Passwords..." Click "Remove All"
In ChromeClick the "Chrome Menu Button" in the upper-right Click "Settings" Click "Show advanced settings..." at the bottom Click "Manage saved passwords" under "Passwords and forms" Highlight all of the websites in the list Press "Delete" on your keyboard.
In Internet ExplorerIf you're on Windows 8 or newer, your Internet Explorer passwords are stored securely, so no need to clear them.Open "Tools" (or the "Gear Menu") and click "Internet Options" Click the "Content" tab Click "Settings" under "AutoComplete" Click "Manage Passwords" Remove each one
In SafariClick on the "Safari" menu Click on "Preferences" Go to the "Passwords" tab Highlight all of the websites in the list Hit the "Remove" button
Step 5: Change Chrome's Default SettingsBy default, Chrome doesn't check for revoked SSL certificates. If that makes no sense to you, don't worry. Just know that checking a box will keep you more secure. Here's our guide on how to fix it.
Stay Safe, Stay SecureThat's it! Going forward, if (or rather when) the next security breach happens, you'll have the peace of mind of knowing that just one password was compromised, and resetting it is as easy as visiting to that one site and having your password manager generate a new secure password for you so that you won't have to worry about remembering.You also won't have to worry about which other sites you've been using the same password on.
Original bleeding heart and passwords code images via Shutterstock
Buy On Amazon Nintendo $37
As people receive lots of photos from their contacts, they look for the ways to stop WhatsApp from saving pictures to the gallery. As there could be private or other personal photos which you do not want others to see when you hand over your phone to someone.
How to Save (All) Pictures from Messages & Facebook on iPhone
Unlisted videos and playlists can be seen and shared by anyone with the link.Your unlisted videos won't appear to others who visit the "Videos" tab of your channel page and shouldn't show up in YouTube's search results unless someone adds your unlisted video to a public playlist.
YouTube - Create video from mp3 and a single image online
tovid.io
Please make sure that the image is licensed allowing you to re-use it. Give credits in the video description when requested. Resulting YouTube video will have a 720p HD resolution. Should you ask "why not 1080p?", the answer is that it gains no improvement of the audio quality.
Video Maker | Create Irresistible Videos Online
How to setup and use Active Display notifications on the Moto X. Robert Nazarian August 6, 2013. Active Display. guides. The ten best cases for the Samsung Galaxy S10+ Best cases for the
In fact, Google will do a test first to make sure your BlackBerry model is compatible with Google Maps before trying to go forward with the installation. Note that while Google Maps software is free, you may incur data charges in using it to access maps. Your mobile service provider can provide more information about specific charges.
How to set up and use BlackBerry Maps | Know Your Mobile
I don't have a security camera or the money to buy one, but what I do have is an Android device, which can be turned into a makeshift hidden camera with ReCam from developer Ismael GKproggy. While there are other feature-rich apps out there like SpyCamera OS , ReCam is simple and to the point, which makes spying fast and easy.
How to Turn Any Android Device into a Hidden Spy Camera
How to reset the Photos App Delete option in Windows 10 I opened my photos with photo application and pushed the delete trashcan. I choose, marked the box not to show the pop up anymore just delete.
How To Reinstall The Mail App In Windows 10
The new technology presented by Facebook 360 will allow you to share with friends and acquaintances a new type of 3D images. The images, made from a shot taken in portrait mode, maintain a clear
How to Post 3D Pictures on Facebook | Fortune
fortune.com/2018/10/12/how-to-post-3d-pictures-on-facebook/
Facebook started rolling out a new 3D Photo feature this week. How to Post 3D Pictures on Facebook. specifically an iPhone with Portrait mode. When you snap a shot through Facebook, the
How to Use the Galaxy Phone for Beginners. Complete Instructional Tutorial. How to Use the Galaxy Phone for Beginners. For people who have never used a Galaxy smartphone before, using the Samsung Galaxy can be an incredibly difficult and frustrating task.
If you are looking for an app to lock apps in iPhone then there is no need of that as iOS provides an inbuilt feature for that. In this article, we will explain this feature on iPhone which many of you might not know.
Lock iPAD screen & iPhone screen so kids stay within the app
Tethering your Android phone basically turns it into a mobile hotspot, allowing you to funnel a 3G or 4G internet connection from your phone into your PC or laptop via USB. As you might expect, phone carriers brought the hammer down in an effort to stop users from getting around the fees they charge to normally allow you to do this.
I send texts from my computer to my kids that have Verizon and a friend that has Altell and it works very well. I go to Yahoo messenger, and type in the phone number where it says type in mobile number and then click on the option that says "send SMS. A screen opens to type my messge and I just go ahead and do it.
How to send free text messages from your PC - Yahoo News UK
3. Allow or Block Pop-ups in Safari on iPhone and iPad. Follow the steps below to Allow or Block Pop-ups in Safari browser on iPhone and iPad. 1. From the Home screen of your iPhone, tap on the Settings icon. 2. On the Settings screen, tap on Safari. 3. On the Safari screen, move Block Pop-ups slider to ON (green) to block pop-ups in Safari
How to Disable the Pop-Up Blocker in Safari on Your iPhone
0 comments:
Post a Comment