• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos2

Heartbleed Bug: What You Need to Know and Security Tips

What is Heartbleed? Symantec is continuing to track this OpenSSL bug discovered recently and its implications for consumers. Symantec has created a site devoted to Heartbleed for further information.

Watch to learn more:

"Heartbleed" a name that security researchers have given to a serious bug found in a very common piece of software used by many websites. The software in question is called OpenSSL and is used to encrypt the information that you send to and from websites, such as your login name and password or other sensitive information. You can usually recognize when websites encrypt information when you see a little closed padlock near the address of the website in your browser.

Unfortunately there are many different software implementations used to implement this encryption and there is no easy way to know whether or not a given website is running the particular version of OpenSSL that this bug is present in.  We believe most large websites reacted quickly to the news of the ‘heartbleed’ bug and fixed it, however it will likely take a very long time for every website to do so.

Here are some tips to keep in mind over the coming weeks and months to help ensure the safety of your sensitive information as you surf and interact online:

  • Do not use the same user name and password across multiple sites. Why so? Well think of your password as being a like a door key. In life in general it would be really convenient if we could all use one single key to open every door in our lives… our house, our car, our office etc. Our key-chains would be nice and compact. However, losing that one key to a criminal would also mean that they could potentially freely access every door in your life. Using the same user name and password for every website you use is the online equivalent of having the same key for every door. So although the large websites you use likely reacted to the ‘heartbleed’ bug very quickly, smaller ones may not have, and if you used the same username and password, then if a smaller website you use is compromised that same username and password might be used on one of the larger websites, even if they have already fixed the bug. If you need to access many websites, as most of us do these days, we recommend using a software password manager. Here is a link to ours: Norton Identity Safe, but there are many others on the market today too.
  • Make sure you avoid simple passwords. Use a combination of upper and lower case letter with a few numbers sprinkled in is a good start. Also the longer the better a password is. Here is a link to a password generator that you might find useful.
  • Be especially on the watchout for scams. News like that of ‘heartbleed’ is music to a scammer’s ears. They take advantage of events like this by sending out fake email messages asking unsuspecting users to ‘change your password because of the heartbleed bug’. Such messages are known as phishing messages. They can be very hard to spot. Although Norton products are good a detecting and blocking them if you do get a message asking you to reset a password, we recommend that you don’t click on any of the links in the email but rather navigate yourself to the website by typing the address into your browser by hand.
  • Keep an eye on your sensitive online accounts. It’s always a good practice to to this anyway, but particularly now, pay special attention to online accounts (banks, email etc), as well as bank and credit card statements to check for any unusual transactions

Finally, if you are looking for something a little more technical on the background to this bug, we’ve got a lot more detail in a blog entry written up by one of our security researchers here: Heartbleed Bug Poses Serious Threat to Unpatched Servers

                                                                                                                     .

Comments

Kudos1

I also got the announcement and link in an email from Norton today. Added this link to my Favorites Tool Bar and will be checking websites. Thank you Norton.

Norton Security. Version 22.0.2.17 ~ "The world is full of nice people…… If you can’t find one, be one."
Kudos3

Hi,

I hate to sound like a dummy but did Norton just sent out an email Security Alert today on thi. With. Link to a site called SafeWeb Heartbleed check. After a check around here I can't find this heart bleed check. Is it legit?

 

 

thanks, 

Polly

Kudos1

I also received an e-mail from Norton titled Security Alert: Information on Heartbleed today. I could certainly use clear confirmation from Norton one way or the other. It looks suspicious. It's saved for now, but if Norton wants to empower us I'd appreciate an announcment on the website and direction to check there. Thanks.

Kudos3

I found it ironic that in an email that instructed users not to click on links in emails, you provided a link for the evaluative tool. Wouldn't it have been better to suggest that users go to the website, where a prominent link to the tool should have been displayed?

I have also received emails containing links for messages-same question.

If we think like a phisher or virusdeveloper for a moment, then shaping malicious emails to proportedly come from a trusted source such as Norton would be an obvious ploy. 

Shouldn't Norton be following their own advice for best practices?

Kudos2

Apologies for the confusion. We have indeed provided a tool to allow our users to check the whether or not a website is vulnerable to the 'heartbleed' attack.

This site can be found at:

http://safeweb.norton.com/heartbleed

The site looks like the following:

-Gerry.

Kudos0

I must just not understand, since I am not sure that the "heartbleed tool" is all that useful.  For example, type in "ebay.com"

You get a note that the site is not https.  Well, true.  But who wants to go to the site, find out that the actual sign-in site is

https://signin.ebay.com/

copy and paste, then find out that the site is now clean. 

and

the tool does not tell me whether or not my ebay account COULD have been compromised and that ebay has updated its keys.  Changing one's account credentials BEFORE a site updates its OpenSSL accounts means that the user account credentials will have to be changed again.

Even more fascinating, one might think that EVERY website would say

"we were not affected by heartbleed"

or

"we were affected by heartbleed, we have repaired our site, and we recommend that you change your account credentials now"

but many do not.  So kudos to Norton for telling me that my account at Norton might have been compromised.  But the information from the tool is not very helpful, or I just do not understand this correctly.

Kudos0

I got an email CLAIMING to be from Norton, about Heartbleed, yet all of the links were for https://response.nortonfromsymantec.com/servlet/...

In other words, all 12 links were to the same spot, which is somewhat suspicious. You would normally expect different links to land on different pages, ESPECIALLY when the visible text indicates the link takes you to http://safeweb.norton.com/heartbleed, which is 100 percent false.  The same appears for the "Legal Information" and "Privacy Policy" links. Really? You couldn't simply put in the ordinary link to your own symantec.com static pages? You had to link through a potentially bogus nortonfromsymantec.com?

The email was doing an extremely good job of appearing to be a phishing scam, notwithstanding its own admonisments about NOT clicking on links in emails exactly like this one...    It's not ironic, it's moronic.

Kudos0

I got the announcement and link. Started checking sites. So far all OK but then I went to  TRowePrice.com and your tool says the site can't be checked.

Now what?

Kudos0
I got the same email and was hesitant to run "the tool" before I checked it out on this site. But I don't see it mentioned anywhere. John
Kudos0

how do i check if a email that has been sent "via" someone else is safe??

Kudos0

Can anyone explain why a site like www.sas.no   cannot be found and checked by the safe web Heartblled check.  i am using the correct website address and it is the website for SAS airlines so i would have thought it could be found....