Some websites now recommend that users should change passwords in response to the Heartbleed breach
ADVICE still varies on how web users should respond to the Heartbleed security breach, but some sites are now advising customers to change their passwords. Security experts have advised caution, warning people not to update password before sites have patched the flaw or they risk giving hackers their new password too. The Heartbleed bug has been described as a "catastrophic" breach of internet security and independent security expert Bruce Schneier claims on his blog that "on the scale of 1 to 10, this is an 11". See below for a full briefing on the topic. Websites have been scrambling to apply a fix, and many of the bigger sites now say that they are secure. Google told the MailOnline that its users do not need to update their passwords for services including YouTube and Gmail. A spokesman for Google said: “The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords.” Facebook, which has more than 1.2 billion account holders worldwide, has said that it too is safe from the threat, but still encouraged "people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don't use on other sites." Yahoo is the only major site that has explicitly advised its users to change their passwords. Current advice from major sites: Google: Search, Gmail, YouTube, Wallet and Play store were all affected, but Chrome was not. Google said users don’t need to change their passwords, but some security analysts still advise that it is a good idea. Facebook: In a statement, the firm said: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity.” Nevertheless, the social network suggested people may want to change their passwords anyway, as it is good practice. Yahoo: Site urged all customers to change their passwords now. Netflix: Said in a statement “we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact.” Instagram: Still believed to be vulnerable. Users should not change their passwords until the site announces it is patched. Hotmail, Outlook and Bing: Microsoft services are believed to be entirely unaffected. Twitter: Site unaffected. PayPal: The company said in a statement that the site is secure. Filippo Valsorda, an Italian cryptography consultant, has built a tool to help users determine whether a particular website is still at risk. Heartbleed internet security flaw: are you at risk? 9 April, A MASSIVE lapse in online security has put the privacy of millions of internet users at risk. Data on many of the world's major websites has been made vulnerable by a bug nicknamed "Heartbleed". Researchers at Google Inc and a security firm named Codenomicon exposed the problem, leading the Department of Homeland Security to advise many online services to check their vulnerability. So who is at risk? What should we all do about it? What is Heartbleed? According to Codenomicon, the Heartbleed bug is a weakness that allows information on the internet, which would normally be protected by a type of encryption called OpenSSL, to be stolen. OpenSSL was devised to provide communication security for applications including web, email, and instant messaging. It works by scrambling data, making it appear as gibberish to anyone but its intended recipient. Occasionally computers send a small package of data, known as a "heartbeat" to check that another computer is still connected. Due to an error in OpenSSL, it is possible to create fraudulent heartbeats that appear legitimate, tricking computers into sending data stored in their memory. Using this technique it is possible that many internet users have had their online profiles, passwords, emails and other online content intercepted and stolen. Am I at risk? Probably. Writing on Vox.com Timothy Lee says: "There aren't precise statistics available, but the researchers who discovered the vulnerability note that the two most popular web servers, Apache and nginx, use OpenSSL. Together, these vulnerable servers account for about two-thirds of the sites on the web." A spokesperson for Yahoo Inc confirmed that Yahoo Mail had been affected, but it was now fixed. Patches have also been applied across Yahoo's suite of sites and services including Flickr, Tumblr and Yahoo Search. Google issued a statement saying "we have assessed the SSL vulnerability and applied patches to key Google services". Facebook said that it too had already addressed the problem by the time it went public yesterday. Microsoft announced that it would take steps to ensure its customers' security. How do I know if I have been hacked? Computer security experts warn that many victims won't be able to tell if their data has been put at risk. "We have tested some of our own services from the attacker's perspective. We attacked ourselves from outside, without leaving a trace," Codenomicon says. What should I do about it? Business Insider says that users should assume that all of their online accounts may have been compromised and should change all their passwords immediately. The New York Times urges greater caution. "Wait a day or so. Then change the passwords on the web services you use," it says. Immediately changing passwords risks exposing them on sites that have not yet corrected the bug, explains the paper. "There's nothing users can do until the web services have made their sites secure," adds Mark Seiden, an independent computer security consultant. Website Cult of Mac advises the same approach. "Wait until you know a site has been patched before changing passwords," it says. It adds that all passwords should be changed, "especially for sensitive sites like banks, credit cards and webmail". Also, make sure your new passwords are all different, don't use the same one across all sites. Seiden suggests varying a password around a core theme. "Pick out a core password of a mixture of six letters and numbers that are not a word," he advises. "You pick the second and third letter of a service, to avoid being obvious. If the service is Yahoo, the letters are 'a' and 'h.' Those are added at the front or back of your core password, or one letter at the front and the other at the back." For further concise, balanced comment and analysis on the week's news, try The Week magazine. Subscribe today and get 6 issues completely free. Source: The Week UK