Heartbleed bug threats are serious; change passwords? Here's why
When the Heartbleed Bug made headlines days ago, the public came out divided. Many became worried about the impact of the security flaw to their data, while some - mostly non-geeks - took the issue lightly as they might hardly understand the core of the issue.
However, many security experts continue to remind the public that Heartbleed is a serious problem that extends beyond Internet web servers and should be addressed with urgency even by individual users. How? By changing passwords - they said it is the least thing individual users can do for now.
As tested by security consultancy company Codenomicon, the bug can compromise user data such as passwords, usernames, credit card numbers and other confidential, personal information. Further research says, it can crack firewalls and security systems as well as penetrate mobile devices.
"That's why this is so nasty; OpenSSL goes far beyond just websites. It's implemented in email protocols and all kinds of embedded devices," said chief executive George Kurtz of security firm CrowdStrike. He also suggested that users should check with the manufacturers of their home routers to do an upgrade of their devices to ensure security.
Though the real extent of damage remains unknown till now, just think about the possible damage if those data mentioned would be compromised and used in malicious activities, the security experts explained. Reason why they advise it would be better for users to change passwords of important accounts that contain confidential and personal information. They reiterated it is the least thing users can do while experts continue to look for answers and further fixes.
Nevertheless, there are opposing views on applying password changes ASAP. Changing passwords amid all this confusion can put users at more risk, said Joseph Steinberg who covers cyber security and entrepreneurship.
He advised that instead of changing passwords at once, users should check the list of websites that are not under OpenSSL because that would mean those sites have not been exposed to the bug. He said the only time people should change their passwords is when they use the same passwords for sites that are vulnerable and sites that aren't vulnerable.
"If someone changes her password on a site that is still vulnerable and uses similar passwords on secure sites, she may actually put herself at risk of having her account at the secure sites breached!" he said, enumerating many other reasons why password change might be a bad idea.
Gathered reports show a number of companies and websites admitted being open or exposed to the bug. Among the big companies affected are Facebook, Yahoo and Google. These companies claimed to have applied fixes to the matter, after admitting being vulnerable to the reported bug.
Meanwhile, there are those who came out lucky. For instance are social networking site Twitter and the IRS that weren't vulnerable to the bug. Turbo tax, however, admitted of its vulnerability. Cisco Systems' servers and routers weren't exposed, too. Cisco is a leading provider of gear to move traffic around the Internet. Even its rival Juniper Networks wasn't affected, noting only minimal issue on the kind of device used to create private exchanges on the Internet.
Other companies, such as Qualcomm and Microsoft Corporation, said it continues to check its products for any sort of exposure. Intel also revealed of its continuous attempt to look for vulnerabilities in its products but found nothing so far, said spokesman Chuck Mulloy. He said the search continues.
However, McAfee admitted some product versions are vulnerable as written on its website.
"The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated," it said.
Some companies refused to comment on the issue. Research says it could take years for those systems affected by the Heartbleed Bug to be cleaned up and upgraded completely.