Heartbleed Bug Has Companies Scrambling for Fixes

A computer bug exposed two weeks ago has prompted fixes in the world’s top 1,000 websites, but security experts say vulnerable sites are still showing up, the latest one being healthcare.gov.

The vast majority of vulnerable servers had been patched as of April 17, according to Sucuri Security, ComputerWorld reported. Users of the website for the federal government’s health insurance program, however, are being asked to change their passwords “out of an abundance of caution,” a post on the website says.

The bug was found in open source software called OpenSSL. OpenSSL is one of the programs used to create secure web connections, which result in the padlock icon seen in browsers while shopping online or conducting banking transactions. Any organization that does not use OpenSSL is safe, experts say, so the first step is to determine if your workplace is using OpenSSL and then upgrade to a version that is not vulnerable.

Many government websites do not use OpenSSL and those sites that do are being upgraded and users are being asked to change passwords. The Canadian government also had issues with Heartbleed, as an arrest has been made after a hacker used Heartbleed to steal personal information from the Canada Revenue Agency.

The Heartbleed bug has apparently been used to breach the computer system of an unrevealed “major corporation,” which is still assessing whether damage was done, the New York Times reported.

As far as personal information is concerned, computer users are being told to check their online banking and ecommerce sites – without first logging in – to determine whether they were impacted by the bug. Many are posting information prominently on their websites. You also can check this by typing Web addresses into www.ssllabs.com/ssltest, which tracks patches as they’re made, writes Russ Wiles of the Arizona Republic. After repairs are made, but only after, change your password.

According to Re/code, an independent tech news site that partners with CNBC, computer security experts would not reveal the company. “But we’re likely going to hear about more cases like this after the fact as companies and organizations clean up their Heartbleed-affected systems and do forensic analysis to determine if they were ever attacked,” Arik Hesseldahl wrote.

Hesseldahl wrote that a browser extension can be downloaded that will allow uysers to determine whether a site is currently vulnerable, and whether it was previously vulnerable, which means passwords should be changed. Read more http://news.netcraft.com/archives/2014/04/17/netcraft-releases-heartbleed-indicator-for-chrome-firefox-and-opera.html

Here is a list of Frequently Asked Questions put together by CNET.