[Joey]

You will likely be reading about the heartbleed internet security bug over the next few days. Here is a page put up by the security firm that co-discovered this problem: http://heartbleed.com/ This is different - and more dangerous - than prior worms, viruses, etc. This security hole is in the software that encrypts things like your credit card number and your login name and password. The big players (Google, Facebook, etc) will quickly fix this. The smaller players - maybe not so quick - or maybe not at all. Sorry for the bummer, wish I had better news. [edit] Good article from Krebs: http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/

[marta]

This article goes into even more detail. There is a link in the article and another link in the comments to test a site to see if it is vulnerable. I checked several of my financial institutions and they all passed. Yahoo is passing but it was initially reported that it was vulnerable. There is nothing you can do at this point until all the sites have been fixed other than not log in to the sites. After they have been fixed, you probably should change your password. I hope they at least provide a list of the sites that did have the vulnerability.

[Joey]

In addition to the one Marta found, here is another tool you can use to test for this problem: http://filippo.io/Heartbleed/

[Joey]

Three ‘big picture’ things everyone needs to know 1. The heartbleed bug exists in the software that is on many home routers. 2. Using a mobile app on *any* device might expose your data to this bug. 3. Firewalls, anti-virus software and all their kin provide no protection now or in the future against this bug. If your data is exposed to the this bug, it can be scooped up by the bad guys. One security expert has opined that on a scale of 1 to 10 the heartbleed bug is an “11”. Good and bad versions of OpenSSL The bug results from a bit of sloppy programming in open source software called OpenSSL. This software encrypts data and since it is free it is very widely used. OpenSSL versions 1.0.1 through 1.0.1f (inclusive) have the heartbleed bug. The following OpenSSL versions do *not* have the heartbleed bug: 0.9.8 branch, 1.0.0 branch, 1.0.1g The bug allows the bad guys to obtain copy of data stored in memory. That data could easily be ‘in the clear’ (i.e. not encrypted) and be things like your credit card number and bank password. Get the picture? Tiny sliver of good news This bug only lets the bad guys read data from memory. They cannot upload anything to you via just this bug. Also, this bug does not replicate. And now back to the bad news... Routers If your router has the heartbleed bug then the bad guys can get copies of stuff in the router’s memory. Yes, this can easily include your credit card number, bank password, etc. Here is a table that lists a bunch of routers that all use OpenSSL: http://wiki.openwrt.org/inbox/benchmark.openssl Click the "device" column heading to sort this table by router name. The "OpenSSL" column gives the version number of OpenSSL. Note how many different routers contain a version of OpenSSL that includes this bug!!! If you want to try to test your router and your router allows access via telnet (not all routers allow telnet access), then you should be able to test your router. This involves using telnet to access your router and then asking your router to tell you (a) whether or not OpenSSL is on your router and, if so, (b) the version number. Instructions for doing this are provided below and are the only way I know about to find out for certain if your router software has the heartbleed bug. You might start by trying to find out if your router includes the telnet feature. Google: telnet (your router model) Since the telnet feature on a router is usually ‘off’ by default, you will need to turn it ‘on’. Try entering the router IP address into your browser’s address bar. (Google: find my router IP address) Hopefully you will then be prompted to enter the router username and password. The default username on many routers is admin or root. If you are able to access your router’s software, then the telnet feature might be under a tab called ‘advanced’ or ‘administrative’. When you find it, turn it on. And when you are done with all this, remember to turn telnet back off since it can present a security hole. Next, you need to enable the telnet client that is part of windows (I know nothing about macs). Windows XP includes a telnet client and it is already enabled. If you have windows 7 or 8 then google: windows 7 (or 8) enable telnet. At this point telnet is ‘on’ in your router and you have enabled the telnet client on your PC. Next you want to use your telnet client to connect to your router. Google: how to telnet to router Hopefully you have now been able to (1) open a command window and (2) get it to give you a telnet prompt. That means the telnet client is running. Now enter this command to open port 23 on your router: o x.x.x.x 23 That is the letter o and not a zero. x.x.x.x is the router ip address. 23 is the typical router port for telnet. You should now be prompted to enter the username and password for your router. After you enter that info, you will see a new type of prompt in the command window. Enter this command: openssl version -v If your router has OpenSSL, it will display the verison number. When I do this, I see: OpenSSL 1.0.0j 10 May 2012 This is one of the ‘good’ versions of SSL. Now enter ctrl-] to get back to a telnet prompt, then enter q to quit telnet. Close the command window. Use your browser to access your router’s software and turn telnet off in your router. If your router software has the heartbleed bug, then you have exactly two choices. You could wait for the router manufacturer or your internet provider to issue new firmware for your router that does not include this bug. Or you can buy a new router. If you decide to buy a router then Linksys is the only manufacturer that has announced that none of their routers use OpenSSL. I suggest you consider the linksys E2500 or higher number in the 'E' series. That model has plenty of features to let you connect your various devices. Linksys also has a "wrt" line that appear to be older models. And they have a fancy "EA" line but if you need one of those then you likely already know that and do not need any advice from me. Possible danger using mobile apps See: http://www.forbes.com/sites/bobegan/2014/04/11/a-billion-smartphones-users-may-be-affected-by-the-heartbleed-security-flaw/ http://www.computerworld.com/s/article/9247632/Heartbleed_flaw_affects_mobile_apps_too

[the Zachster]

So why is there SO little interest in this? I find it quite disturbing. Thanks for the info Joey. I hope we are all safer than we think we are...

[sten]

Probably because it sends us off to do some research on our routers, commonly used websites etc.

[Joey]

I found a website where you can test your router for the heartbleed bug. All the other testers I have seen only let you test by entering a domain name like yahoo.com. 1. You first need to know the IP address that your router uses to communicate with the internet. This is different than the IP address you use to communicate between your PC and your router. Do a google search on: what is my ip Google displays your internet IP address in black above the list of hits. Write it down. 2. Go to this website: http://www.nagios.com/heartbleed-tester Type your ip address in the ‘host’ field. You do not need to change the other settings. Run the test. This server is very busy so the test may take a few minutes to complete. A buddy that has a very basic router from century link was unable to run this test. A neighbor with a different router was able to run the test and was "not vulnerable" to the bug. Please post your results. I think we all need a sense for the scope of this problem in the context of routers.

[Brian Curtis]

Home router vulnerability issues are a bit complicated. To be vulnerable to Heartbleed the router has to be acting as an SSL server. If it is merely passing SSL traffic it is not vulnerable. So that generally means VPN or, more importantly for typical home routers, remote management. If you log in to your router you can check to see if remote management is turned on. I think most routers are typically shipped with remote management turned off, but I'm not sure about that. For accessing telnet on OS X go to Applications->Utilities and open Terminal. Then go to Shell->New Remote Connection... and choose Remote Login (telnet). There you can enter your router's address and follow Joey's instructions.

[Brian Curtis]

I tested my Cisco E3000 and it came back not vulnerable.

[More Cowbell]

Thanks for the new link. NOT VULNERABLE! Netgear WNR2000 I'll do the workplace computers tomorrow.

[Joey]

[ejain]

[markh752]

The website says that my Zyxel PK5000Z is not vulnerable. This is an older router/modem. Thank you for the info Joey. Edit: BEC's 7200TN R2 shows up as not vulnerable.

[marta]

[Joey]

Article on "reverse" heartbleed http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed