Heartbleed Bug Causes Confusion Online
Heartbleed bug can cause confusion online By Mark Ward Technology correspondent, BBC News
Security experts claim that Heartbleed vulnerability-prone computers are actively targeted online.
They say it's not clear whether the scanning efforts are malicious or not.
The news comes as security professionals and developers advised people to change their passwords for all accounts.
But Google stated that logins for its services do not have to be reset unless they were used on other websites.
This contradicts advice from Yahoo's blogging platform Tumblr and the creators of If This Then That, who advised users to change their passwords "everywhere".
The conflicting guidance is further complicated by the fact that experts say updating passwords is useless until a site has patched its servers - but it's not always obvious to the general public when this is the case.
Attack pattern
The Heartbleed bug was first reported on April 8th, and has sparked a frenzy of activity in web-based businesses as they look to make sure their systems are safe.
The flaw was discovered in software that was supposed to keep information that passed between websites and users safe from scrutiny. The bug instead meant that attackers could use specially-crafted queries to take data from servers.
Ars Technica reported that some sites had seen evidence that bot networks were looking for the Heartbleed weakness even before the bug was made public.
Security researchers are also receiving information on scans of vulnerable servers. One scan turned out to be harmless since the person responsible for it told the gaming company who was responsible for the computers that they were leaking data.
"It's difficult to detect an attack unless you're actively looking for it," said Ken Munro analyst at security company Pen Test Partners. He also said that many intrusion detection systems have added signatures that can detect the subtle signs that a Heartbleed-inspired attack is underway.
Additionally, organizations operating "honeypots" which attempt to trick hackers into attacking fake web servers have written software that generates nonsensical server data in response to Heartbleed requests.
According to Netcraft statistics, 500 thousand servers are at risk from the Heartbleed bug.
Many websites that had vulnerable servers have since patched their systems, and many others are also doing the same. However, many sites remain vulnerable. There are sites that allow users to determine whether a website they are using is insecure.
Conflicting advice has been given to web users by different companies about about whether they should be updating their passwords. Google said that users did not need to change credentials; Facebook advised users to make the change; and others, such as web service If This Then That, said users should change their passwords on a regular basis.
Users should first find out if the site they are using is vulnerable to the bug and if they took action to correct it, according to James Lyne, global head of research at Sophos. Making changes to passwords on a website that is not secured could still leave people open to data theft, he said.
He also said that the rush to change passwords would encourage groups that are phishy to send bogus messages to people who want to reset their passwords.
"This isn't the first defect of its kind and definitely won't be the last, but it is one of the more grave faults we've seen in recent internet history," said Mr Lyne.
Heartbleed: Do you need to worry?
10 April 2014
Tech companies call for password reset
9 April 2014
Huge security bug fixed with scramble
Hackers thwarted by nettimekeepers
20 March 2014
LastPass
LastPass - LastPass Heartbleed checker