Wetin Bleed? *Naija Tone*
In
the past few weeks the term Heartbleed has been bundled around and the subject
has even been extensively discussed by members of 'the Republic' (#TechRepublic) –
Edward Tagoe, Kwabena Akuamoah Boateng , Joseph Dankwah , Jason Derek Bossman ,
Ethel Cofie , Naa Oyoo Quartey , Macjordan Degajor , Emeka Okoye , Yao Kuwornu and
myself.
 |
| The Republic having a selfie time with the US Ambassador to Ghana Gene Cretz |
Heartbleed has left people wondering about how much of their data is
comprised with some people hastily changing passwords amongst other things.
Though changing your password before resolution would not make a user secure.
Heartbleed
is not a virus, but rather a mistake written into OpenSSL— open-source software
for SSL implementation across the Web. It is a security vulnerability in
OpenSSL software that may affect nearly two-thirds of websites online and allow
hackers to access data servers that may contain username, password and other
sensitive information.
With
the disclosure of a bug in OpenSSL’s implementation of heartbeat, it is no
longer necessary for cybercriminals to hack into the server to steal the
credentials or private keys. An easy execution of a small code will provide
them with wealth of information just by exploiting the vulnerability in
OpenSSL. While this is happening, the server admin will never know that their
server has been exploited and how much of the information has been leaked by
the exploit.
Security
researchers found out that an encryption technology SSL/TLS that helps in
providing communication security and privacy over the network for various
applications viz. web-based applications, email and VPN had this security flaw.
This encryption technology that used to safely transmit e-commerce
transactions, email, social networking data and other Internet traffic was
affected by Heartbleed and this security flaw was enough for hackers to access
user’s sensitive personal information.
This
vulnerability allows anyone to steal the information which under normal
circumstances is protected, by the SSL/TLS encryption. Therefore, attackers can
steal a server’s digital key which is used to encrypt data and get easy access
to an organization’s sensitive documents.
Security
researchers also add that this newly discovered security vulnerability is
extremely dangerous as it remained undiscovered for more than two years.
However, Wolfgang Kandek, chief technology officer for Redwood City security company
Qualys said that, it still remains unclear if hackers have taken advantage of
the flaw to steal sensitive data from vulnerable sites.
Organizations
such as Yahoo have come out to declare
resolution. However, is it just a publicity stunt to allay fears or they have
truly resolved the issue.
Researchers
at Codenomicon say that OpenSSL is used by two of the most widely used Web
server software, Apache and nginx. This means a lot of internet sites would
possibly have this vulnerability.
Wolfgang
Kandek of Redwood City added, many
affected websites will now have to have their encryption keys recertified as
safe. That’s because even after fixing the flaw in their software, unsafe keys
can easily allow hackers to steal sensitive personal information.
Moreover,
every website / server / service admin, who uses OpenSSL should be concerned
about this vulnerability as it breaks everything for which SSL encryption was
deployed in the first place.
So what are the
things, a user should consider?
§ Change your passwords
only after the affected online service provider has updated their servers in
order to compensate for the Heartbleed vulnerability.
§ Services which are
affected are ought to be sending emails to users and informing them, that they
were affected by Heartbleed and have since updated their servers.
§ Only when you receive
this update, change your password, otherwise it will not have the expected
outcome.
§ But, if the website
has already been compromised, and it is still to fix its software then you
should wait to change your password.
- If you are
doubtful about a website’s status and whether it is compromised or not,
you can go online and check by doing a Heartbleed Vulnerability test
On these sites:
§ As phishing attacks
are continuously increasing, some hackers may provide you with links to change
your password. To ensure complete safety, manually go to the website yourself,
log in and then change your password.
Once you can confirm
resolution change your password but ensure that you have a “strong” password, few
tips for changing your password:
Never give out your password to anyone (Not even
your spouse):
Never give it to friends,
even if they’re really good friends. A friend can – accidentally, we hope –
pass your password along to others or even become an ex-friend and abuse it.
Don’t just use one password:
It’s possible that someone working at a site where you use that
password could pass it on or use it to break into your accounts at other sites.
Make the password at least 8 characters long:
The longer the better. Longer passwords are harder for thieves to
crack.Include numbers, capital letters and
symbols. Consider using a $ instead of an S or a 1 instead of an L, or
including an & or % – but note that $1ngle is NOT a good password. Password
thieves are onto this. But Mf$1avng (short for “My friend Sam is a very nice
guy) is an excellent password.
Create passwords that are easy to remember but hard
for others to guess (unique):
When possible, use a phrase such as “I started working in chorkor 1999”
and use the initial of each word like this: “IswinC99#!”
Don’t use dictionary words:
If it’s in the dictionary, there is a chance someone will guess
it. If I am a hacker, I will just write
a script to guess dictionary words and common words. Those who like using
great, love, sweetheart,heartbeat ,etc. Abeg! That is giving a class 1 assignment
to an undergrad student.
Don’t post it in plain sight:
This might seem obvious but studies have found that a lot of
people post their password on their monitor with a sticky note. Bad idea.
If you must write it down, hide the note somewhere where no one can find it. But
for God sake, try to keep your password in your head.
Ebei! Is that that difficult? Even after some Bukom Banku beating,
you should remember.
Consider using a password manager:
Programs
or Web services like RoboForm (Windows only) or Lastpass (Windows and Mac)
let you create a different very strong password for each of your sites.
Ultimately, it solves the problem by helping you generate random
passwords for each account or site. But you only have to
remember the one password to access the program or secure site that stores your
passwords for you.
Enable dual-factor
authentication:
Where there is two factor
authentication , use it (Gmail is one email service that does so) In addition
to a password, the service requests for another identifying information, such
as a code that can be sent to you via SMS but if MTN , GLO , TIGO , AIRTEL or
VODAFONE decides to screw you , then you are on your own
Credits: Qualys , escan , Efo Koku
1 comments:
I have gone through the site and find it very useful and very informative. Yet, I have something to share and it's really nice.. :
The DJI ground station as organized to borrow a hand like scratches contraptions are in the exterior reach in the opportunities in the understandings at the moment. The widespread beginning of drudgery has phantom 2 drone in improved learning inactive room for the proposal requires been famous uncomplicated. The volumes uav flight controller encompassed in the air documented amount in complete phantom 2 for more interplanetary as well as situation.
Post a Comment