Heartbleed Vulnerability
WATCH: As we learn more about the Heartbleed bug’s impact on online security, experts say it’s time to change your passwords – all of them.
TORONTO – An encryption flaw now known as the Heartbleed bug has made a major impact on online security. The flaw has affected many online services and websites that Canadians access every day. CBC Has reported that over 900 Social Insurance numbers have been accessed via this vulnerability in their system.
Security experts have gone as far to call it one of the biggest security threats the Internet has ever faced.
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed, leaving users’ information vulnerable.
For now, the best you can do to protect yourself is change the password to any accounts associated with websites affected by the bug once the website confirms it’s deployed a fix. You will find a list below.
Although Muskoka Graphics was vulnerable to this bug it has been closed and there is no reason to believe that any accounts were compromised. You were only open for attack on the Muskoka Graphics server if you process credit card transactions on your site. Logs do not show that has been the case and this bug has been removed from our servers.
Global News has created a list of some of the most popular services to let you know what’s affected and what passwords you need to change:
ONLINE BANKING
Were Canadian banks affected? No.
Do you need to change your password? No – but this is a good reminder that yourInternet banking password should be very secure.
“The online banking applications of Canadian banks have not been affected by the Heartbleed bug,” the Canadian Bankers Association said in statement issued Wednesday afternoon. “Canadians can continue to bank [online] with confidence.”
CANADA REVENUE AGENCY
Was it affected? Yes
Do you need to change your password? Yes
As of Friday the CRA’s online services were still offline due to the security concern. But according to a statement issued Friday, the websites will be back online by the weekend. Those with accounts should update their passwords once the site comes back online to be safe.
SOCIAL MEDIA
Was it affected? Unclear
Do you need to change your password? Yes
“We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to […] set up a unique password,” Facebook said in a statement.
Was it affected? No
Do you need to change your password? No
Was it affected? Yes
Do you need to change your password? Yes
“Our security teams worked quickly on a fix and we have no evidence of any accounts being harmed,” the company said.
Was it affected? No
Do you need to change your password? No
“We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation,” Twitter said on its website Wednesday.
Tumblr
Was it affected? Yes
Do you need to change your password? Yes
“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. This might be a good day to call in sick and take some time to change your passwords everywhere,” Tumblr said in a statement on Tuesday.
Was it affected? Yes
Do you need to change your password? Yes
TECH COMPANIES
Was it affected? Yes
Do you need to change your password? Probably.
According to a statement from Google, the company proactively looks for vulnerabilities in order to fix them before they are exploited and therefore fixed this bug “early.” Google said users do not need to change their passwords because of this – but better safe than sorry in this case.
“We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected,” a post on Google’s security blog published Wednesday said.
Microsoft
Was it affected? No
Do you need to change your password? No
Apple
Was it affected? No
Do you need to change your password? No
Yahoo
Was it affected? Yes
Do you need to change your password? Yes
“Our team has fixed the Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now,” the company tweeted Tuesday.
Yahoo is also the email provider for Rogers customers.
According to a statement issued to Global News, “Rogers. com doesn’t use the impacted versions of the SSL software, so was not impacted by the bug.” But a spokesperson added that the company recommends customers update their passwords frequently as best practice.
ONLINE SHOPPING
Amazon
Was it affected? No*
Do you need to change your password? No
*Amazon said with the exception of some services – Elastic Load Balancing, Amazon EC2, Amazon CloudFront, AWS OpsWorks and AWS Elastic Beanstalk – its services were unaffected. If you use these, you should probably change your password.
eBay
Was it affected? No
Do you need to change your password? No
Etsy
Was it affected? Yes
Do you need to change your password? Yes
“As of right now, we have no indication that an attack has been conducted against Etsy beyond testing the vulnerability, but this type of issue makes it very difficult to detect, so we’re proceeding with a high degree of caution,” read a security update on Etsy’s website Tuesday.
Paypal
Was it affected? No
Do you need to change your password? No
OTHER ONLINE SERVICES
Dropbox
Was it affected? Yes
Do you need to change your password? Yes
“We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe,” the company tweeted Tuesday.
OKCupid
Was it affected? Yes
Do you need to change your password? Yes
Evernote
Was it affected? No
Do you need to change your password? No
“Evernote does not use, and has not used, OpenSSL, so we were not vulnerable to this bug. As an Evernote user, you don’t need to take any action,” read the company’s blog.