The security community is buzzing with news of a threat called Heartbleed. The bug reportedly affects nearly two-thirds of all websites, including Yahoo Mail, OKCupid, WeTransfer, and others. The bug takes advantage of a vulnerability in OpenSSL, an open-source protocol used to encrypt vast portions of the web. It allows cybercrooks to steal encryption keys, usernames and passwords, financial data and other sensitive data they have no right to.
In a blog post to their users, Tumblr described it this way,
…that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.
The latest version of OpenSSL fixes the problem and websites are already upgrading.
However, your popular social site, your company’s site, commerce site, hobby site, sites you download software from or even sites run by your government might be using vulnerable OpenSSL, warns Codenomicon on their site about Heartbleed. GitHub compiled a list of sites that are vulnerable, but some may have already been updated. AVAST’s website is safe from the Heartbleed threat.
You can check a site’s vulnerability status at the Heartbleed test site which enables users to enter domains. If a site comes back as an “uh-oh” but doesn’t say “heartbleed” then there may be something else wrong, but it’s not Heartbleed. Update: AVAST’s COO, Ondrek Vlcek recommends this checker, http://www.ssllabs.com/ssltest/analyze.html.
What can you do?
The best advice is to stay away from affected sites for a while. In their report on Heartbleed, Tor advises, “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”
You need to change your passwords for any vulnerable sites as well. Once affected sites start making the updates, they will most likely advise their customers to change their passwords. Earlier today, Tumblr sent their users a note encouraging them to change passwords to all their online accounts immediately.
“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr said on their blog.
We have written tips about creating strong passwords in the avast! blog. Read My password was stolen. What do I do now? as a reminder.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
I am quite surprised at how inventive people can be when it comes to the thinking up weak passwords. The obviously weak combinations like ’1234′ or ‘qwerty’ along with names and phone numbers are quite common parts of passwords.
The story begins with me fighting a familiar piece of malware, Bicololo, which is spyware designed to steal the identity from users of Russian social networks. A routine task you might say. This time the authors were less cautious with settings on their rogue servers, so I managed to get hundreds of freshly-stolen credentials. What to do with them? The first thing I tried was contacting support of the affected social network to get users warned and passwords reset. Unfortunately, my effort met no success there; they did not even bother to answer my mail! So instead of getting to warn hundreds of innocent users on the Russian social network, I used this unique opportunity to analyze the habits users have regarding their passwords and share it with our AVAST readers.
Once I cleaned up the data, I received about 850 unique combinations of username-password pairs. This is not enough variants for the results to be widely representative. The data was obtained from a rather specific group of (less experienced) users whose lack of knowledge allowed their computers to be infected. I expect the general reality to be a bit better than my results. Though my findings are not scientifically-correct, they can give us some insight into the problem and show us examples we should avoid while choosing our passwords. Read more…
There is a nasty botnet trolling WordPress sites trying to log in with the default admin user name and using “brute-force” methods to crack the passwords. Our advice to save your wordpress blog from being hacked is to change admin as the login name to something else and use strong passwords.
Matt Mullenweg, the founder of WordPress, advises the same thing on his blog. He also said to turn on the two-step authentication, which prompts you to enter a secret number you get from the Google Authenticator App on your smartphone. To make as secure an environment as you can, ensure that the latest version of WordPress is installed as well.
“Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg writes to assure 64 million WordPress users.
By now, avast! users are aware of the importance of creating strong computer passwords, and guarding their Social Security number like a trained Doberman. But what about the humble four-digit personal identification number (PIN)? PINs are security features just like passwords. They give access to your mobile phone, credit card, bank account, and numerous other things. My garage door opener even has a keypad and PIN. Because it’s the key that unlocks so many doors, literally and figuratively, it pays to keep your PINs safe.
Here are some things to remember when choosing a PIN:
- Be more original than 1234. One in 10 people use this number combination. Together with 1111 and 0000, these three combinations make up nearly 20% of PINs. Think of it this way, if you find an ATM card on the floor, you have a 1 in 10 chance of getting the correct number if you type 1-2-3-4 .
- Using your birthdate as a PIN is a bad idea. Everyone carries their driver’s license in their wallet with their ATM card. The birthday information gives a wallet thief both the lock and key in a convenient location. One study said that one out of 15 wallet thief victim’s also had their ATM raided!
- Forget about your address too. Your house or apartment number is also printed on your driver’s license, so it’s easily found.
- Keep LOVE in your heart, not on your phone. 5683, which spells out “love” on the keypad is very popular. Use a less popular word, maybe 9278, which spells “wart.”
Here are some tips to secure (and remember) your PIN:
- Use the bank assigned number. Just don’t write it on your ATM card.
- An old phone number, student or work ID is good, as long as they’re not listed anywhere.
- Choose a meaningful number. The score of the big game (your favorite basketball team won 80-58, so the PIN is 8058).
- Base the number on a phrase instead of a word, such as 2432 for “Avast is FREEking awesome” (AIFA).
- Hide the number in a fake contact. If you have too many PINs to remember, make up a fake contact with a fake phone number and keep it in your phone. Just don’t let the battery run out!
When scrubbing toilets and doing other household chores is preferable to thinking of new user names or passwords, then you know it’s a burdensome thing. A new national survey from Janrain, a social software services company, reveals that American adults need to remember five or more unique online passwords. Thirty-eight percent are so frustrated that they think tasks like folding laundry or scrubbing toilets – even solving world peace – might be easier than coming up with another new user name or password combination.
The majority of those surveyed say they try to create strong passwords, using letter and number combinations instead of obvious names or words, like “password,” but the problem is recalling the complicated passwords. Nearly 37 percent have to ask for assistance on their user name or password from at least one website per month.
“With all of the different websites consumers login to on a regular basis – from email and social networks to online banking and e-commerce sites – it’s no wonder people are struggling to remember such a large number of passwords,” Janrain CEO Larry Drebes said. “What’s surprising is that consumers think cleaning their bathroom, or in the extreme cases trying to solve world peace, sounds preferable to adding yet another password to the list.”
If you are experiencing password fatigue, and would like to never worry again about remembering your passwords, then try avast! EasyPass. You get strong, unique passwords for every site you visit – with just one click. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords or waste time asking websites for help. Download a free trial of avast! EasyPass now.
We have another entry on the growing list of hacks – Blizzard Entertainment, publisher of popular games such as World of Warcraft and the Diablo and Starcraft series, reported last week that a large amount of user account data for Battle.net gamers was compromised.
“This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened,” wrote Blizzard President Mike Morhaime. “We take the security of your personal information very seriously, and we are truly sorry that this has happened.”
Stolen data includes email addresses, answers to security questions, a database of “cryptographically scrambled” passwords, and data related to dial-in and smartphone app-based two-factor authentication. Battle.net users should change their account passwords immediately. You can do that here.
Jindrich Kubrec, Avast Virus Lab senior analyst gives some tips for securing your passwords:
1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
2. Avoid overly complex passwords as you don’t want to write them down
3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
4. Longer passwords are always better
5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
6. If you can’t be bothered with steps 1 – 5, try avast! EasyPass to generate strong, unique passwords for every site you visit. The best part is that you access your passwords using one Master Password, so you don’t have to remember lots of passwords.
Yesterday, LinkedIn started investigating a password leak, followed by online dating site eHarmony, and now online music streaming site LastFM has announced on their blog that they too are investigating the leak of user passwords. As a precautionary measure, they are advising all their users to change their passwords immediately. You can do that here.
Yesterday, a Russian hacker reportedly stole 6.5 million LinkedIn passwords and 1.5 million passwords from eHarmony. It is not yet known if the hacking incidents are related.
It’s worth repeating the password tips my colleague Jindrich Kubec wrote in an earlier blog post.
A simple 5 step procedure for creating new passwords:
- 1. Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
- 2. Avoid overly complex passwords as you don’t want to write them down
- 3. Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
- 4. Longer passwords are always better
- 5. Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
On the heels of the Zappos cyber robbery last Sunday that left 24M customers fretting over stolen passwords and email addresses, articles are being published about how people can protect themselves online. The number one point is always about passwords. Clean up your passwords. Never Share Your Password. Create different passwords for different accounts.
Sage advice, which we at AVAST support. We even have a dedicated password manager called avast! EasyPass to help you juggle it all. The theft at Zappos and the struggle for greater online privacy made it even more startling when I read about the growing trend among teenagers to share their passwords as an act of trust with their current BFFs. Read more…
Black Friday, the day after Thanksgiving and the busiest shopping day of the year, starts at midnight November 25th with mega-sales running throughout the weekend. Cyber Monday, the online retail equivalent to Black Friday, is the time when many consumers, who didn’t want to fight the crowds over Thanksgiving weekend or failed to find what they were looking for, shop online that Monday from home or work.
“For our US friends especially, this weekend is when retailers, offline and online, offer the best deals of the year,” said Jindrich Kubec, senior virus analyst at the AVAST Virus Lab. “It’s also when cybercriminals become hyperactive with scams and fraudulent offers.”