Thursday, 17 April 2014

Biggest hacking scandals of all time

Canadian hacker Michael Calce launched an attack on several major websites such as CNN, Yahoo, Amazon and eBay that paralyzed the sites for hours.
Canadian hacker Michael Calce launched an attack on several major websites such as CNN, Yahoo, Amazon and eBay that paralyzed the sites for hours. File Photo/Canadian Press Images
TORONTO – Police have charged a 19-year-0ld London, Ont., man in relation to the security breach on the Canada Revenue Agency’s website, which resulted in 900 social insurance numbers being stolen.
Stephen Arthuro Solis-Reyes faces one count of “Unauthorized Use of Computer” and one count of mischief.
Solis-Reyes, described by his lawyer as a “straight-A” student, is in his second year of computer engineering at Western University. But he isn’t the first person (or even the first Canadian) to be implicated in large-scale hacking scandals.

Canadian hacker ‘Mafiaboy’ attacks media sites

In February 2000, Canadian hacker Michael Calce launched an attack on several major websites such as CNN, Yahoo, Amazon and eBay that paralyzed the sites for hours. Economic damages from the attack were estimated at several million dollars.
The RCMP and the FBI launched a manhunt that ended two months later with the 15-year-old Calce apprehended at his parents’ home in Montreal.
He was tried and found guilty of 55 counts of mischief and sentenced to eight months in a youth detention centre and a year of probation. As a young offender, he was only known in the media by his online alias “Mafiaboy” to protect his identity.
But in 2008, Calce revealed his identity to the world by releasing a book entitled Mafiaboy: How I Cracked the Internet and Why It’s Still Broken, in which he discussed his fascination with computers and learning how to be a hacker.
READ MORE: Hacker charged in CRA Heartbleed breach ‘straight-A’ engineering student

Target breach

In mid-December hackers infiltrated Target’s systems stealing about 40 million debit and credit card numbers and personal information – including email addresses, phone numbers, name and addresses – of another 70 million people.
The Secret Service and the FBI are still investigating the data heist, however experts believe the hackers responsible for the security breach will be hard to find.

Google theft

Google revealed it has been targeted by a highly sophisticated and targeted attack on [its] corporate infrastructure originating from China, in January 2010. Google said the attack, Operation Aurora, had resulted in the theft of intellectual property from Google.

Palin email attack

In September a hacker gained access to former Alaska governor Sarah Palin’s private email account and posted screenshots of the politician’s contact list, messages and inbox were posted to a whistle-blowing website.
A person claiming to be the hacker posted messages regarding the attack on a web forum. The postings were later traced to 20-year-old Tennessee college student David Kernell, who has since been indicted on charges of identity theft, wire fraud and obstruction of justice.

Monster.com resume theft

The online job board Monster.com spent millions on security upgrades after a group of con artists broke into its system and stole the resumes of 1.3 million people.
The group used a computer program to access the employers’ section of the site and steal log-in credentials. The logins were used to upload user names, email addresses, phone numbers, and home addresses to a remote server.
While the information taken from the resumes did not include social security numbers or financial data, the contact information alone was enough for the hackers to construct “phishing” and spam emails containing personal information of the users.
Phishing emails sent to users encouraged them to download a “job seeker tool,” which was in fact a program that encrypted files on their computer and demanded money for their decryption.

Credit card accounts exposed

A massive computer security breach at a payment processing company exposed more than 20 million Visa and 13.9 million MasterCard accounts to the risk of fraud in June.
Analysts and law enforcement officials traced the breach to payment processing company CardSystems Solutions of Tucson, Ariz. Hackers were able to insert a code in the company’s network which allowed them to steal account information that could be used to commit fraud.
The breach was one of the largest in the world at the time, as hundreds of thousands of cards were cancelled and reissued.

Hacker looks for UFO evidence

Gary McKinnon hacked into 97 Pentagon, U.S. Navy, Army and NASA computers between February 2001 and March 2002. The British hacker, also known by his online name “Solo” admitted that he hacked into the systems, but said he only did it to find evidence of UFOs.
The US government alleged that McKinnon caused $700,000 in damage.

Report: NSA Exploited Heartbleed to Siphon Passwords for Two Years

Image: Codenomicon
Image: Codenomicon
The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.
Speculation had been rampant this week that the spy agency might have known about the critical flaw in OpenSSL that would allow hackers to siphon passwords, email content and other data from the memory of vulnerable web servers and other systems using the important encryption protocol.
That speculation appears to be confirmed by two unnamed sources who told Bloomberg that the NSA discovered the flaw shortly after it was accidentally introduced into OpenSSl in 2012 by a programmer.
The flaw “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” the publication reports. [See NSA response below]
OpenSSL is used by many websites and systems to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to 10, cryptographer Bruce Schneier ranks the flaw an 11.
The flaw is critical because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data, and can be used by hackers to steal usernames and passwords — for sensitive services like banking, ecommerce, and web-based email.
There are also concerns that the flaw can be used to steal the private keys that vulnerable web sites use to encrypt traffic to them, which would make it possible for the NSA or other spy agencies to decipher encrypted data in some cases and to impersonate legitimate web sites in order to conduct a man-in-the-middle attack and trick users into revealing passwords and other sensitive data to fake web sites they control.
Heartbleed allows an attacker to craft a query to vulnerable web sites that tricks the web server into leaking up to 64kb of data from the system’s memory. The data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. But this means that any passwords, spreadsheets, email, credit card numbers or other data that’s in the memory at the time of the query could be siphoned. Although the amount of data that can be siphoned in one query is small, there’s no limit to the number of queries an attacker can make, allowing them to collect a lot of data over time.
Although some researchers have reported on Twitter and in online forums that they were able to siphon the private keys in some cases from servers that were vulnerable to the flaw, the security firm CloudFlare announced today in a blog post that it was unable to siphon a private key after multiple days of testing the flaw.
Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt the data in near-real time, and there were suggestions that they might have succeeded.
According to documents that Edward Snowden provided the paper, the spy agencies have used a number of methods under a program codenamed “Project BULLRUN” to undermine encryption or do end-runs around it — including efforts to compromise encryption standards and work with companies to install backdoors in their products. But at least one part of the program focused on undermining SSL. Under BULLRUN, the Guardian noted, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”
Bloomberg does not say if the NSA or its counterparts succeeded in siphoning private keys using the Heartbleed vulnerability. The paper only mentions using it to steal passwords and “critical intelligence.”
Update: The NSA has issued a statement denying any knowledge of Heartbleed prior to its public disclosure this week. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”
The White House National Security Council spokesperson Caitlin Hayden also denied that federal agencies knew about the bug. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” Caitlin Hayden said in a statement.

DeSmet, police investigate hacker, Twitter posts

About two weeks ago, something strange started happening to the computer network inside De Smet Jesuit High School in Creve Coeur. The internet was really slow and unresponsive. On some days websites were blocked.
Fast forward to last weekend when a hacker got into the school's email distribution list and started sending emails to teachers and students.
On Wednesday, a Twitter user called DeSmet Internet started posting messages bragging about contacting teachers and saying "We are Legion, We do not forgive."
"We can't confirm the emails are connected with this so called De Smet hacker or tweets. This person sent out a youtube video and embedded with it was a virus and our system shut that down immediately," said Principal Ron Rebore, Jr.
While this might be an end-of-year prank to get out of final exams, the consequences for hacking into a network are severe. According Federal and State cybercrime laws penalties could range anywhere from a misdemeanor to a felony.
"Some of their actions could have some major consequences to other people and to themselves. If this, in fact, is a student, this is very serious….the safety of our students is very important. This is not a joke," said Dr. Repore.
He added, "The police are involved because we want to make sure our school is safe…. If I feel there are threatening tweets I would be remiss if I didn't contact anyone who could help us."

Mission-critical satellite communications wide open to malicious hacking

Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday.
Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.
"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," Ruben Santamarta, IOActive's principal security consultant, wrote. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."
Santamarta said that every single one of the terminals he audited contained one or more weaknesses that hackers could exploit to gain remote access. When he completed his review in December, he worked with the CERT Coordination Center to alert each manufacturer to the security holes he discovered and suggested improvements to close them. To date, Santamarta said, the only company to respond was Iridium. To his knowledge, the remainder have not yet addressed the weaknesses. He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did.
The paper gave examples of the types of weaknesses affecting specific SATCOM systems and the types of attacks that they made possible. The Harris RF-7800B BGAN, for instance, is a terminal the manufacturer markets as providing tactical radio communications to militaries. Santamarta said the devices contain vulnerabilities that allow hackers to replace the normal firmware with malicious code. Adversaries could then monitor the geographic location of the people using the gear or completely disable communications once a device enters a precise area chosen by the attacker. The Harris BGAN M2M terminal can be commandeered by sending malicious SMS messages to it, the researcher reported.
BGAN terminals from Cobham, meanwhile, can be hijacked by exploiting a weakness in its authentication mechanism. "If a member of a unit was targeted with a client-side exploit while browsing the Internet during personal communications time, an attacker would be able to install malicious firmware in the terminal," Santamarta wrote. He went on to catalog weaknesses in terminals that underpin mission-critical SATCOM used in international aviation and shipping systems as well.
As concerning as it is that the devices Santamarta reviewed made their way into mission-critical systems before the weaknesses were discovered, it's even more problematic that most manufacturers have yet to respond to the private overtures initiated by CERT. Given the potential threat to public safety and national security, Santamarta called for action.
"The findings of IOActive's research should serve as an initial wake-up call for both the vendors and users of the current generation of SATCOM technology," he said.

Heartbleed Bug Sends Bandwidth Costs Skyrocketing


Chart showing the global spike in revoked certificates after CloudFlare revoked its certificates this week due to Heartbleed. Chart courtesy of the Internet Storm Center.
Chart showing the global spike in revoked certificates after CloudFlare revoked its certificates this week due to Heartbleed.

The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones.
The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with some stunning numbers that give us an idea of the price of a serious bug like this one.
On Wednesday CloudFlare, which provides security for web sites, completed the process of revoking and replacing all of the SSL certificates for its customers, activity that forced issuer GlobalSign to update its Certificate Revocation List.
That CRL is what your browser requests from Certificate Authorities to determine which certificates have been revoked, and can no longer be trusted. If a cert is on the revocation list, your browser is supposed to display a message letting you know that the site you’re trying to access does not have a valid certificate, which is generally a security concern.
In the wake of Heartbleed, the size of those CRLs from Certificate Authorities more than quadrupled in size, due to all of the certs that companies had to revoke and replace.
According to CloudFlare, GlobalSign’s CRL grew from 22KB before Heartbleed to 4.9MB afterward.
The number of revoked certificates on the CRL increased from 1,492 to 133,243. And that was just GlobalSign’s CRL.
The update to the CRL list caused a huge spike in requests from browsers for the latest list, which in turn caused a drain on GlobalSign’s bandwidth.
“The activity of browsers downloading the Globalsign CRL generated around 40Gbps of net new traffic across the Internet,” CloudFlare writes in a blog post published today. “If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign’s monthly bandwidth bill.”
That’s not the only issue for a CA, however, for this kind of mass revocation.
“Beyond the cost, many CAs are not setup to be able to handle this increased load,” CloudFlare notes. “Revoking SSL certificates threatens to create a sort of denial of service attack on their own infrastructures.”

Microsoft defends opening Hotmail account of blogger in espionage case

Microsoft defends opening Hotmail account of blogger in espionage case

Company says it cracked open the Hotmail account of an unnamed blogger involved in a Windows 8 espionage case in part because he was selling Windows Server activation keys.
Microsoft's Panos Panay proudly shows off the then-new Surface hardware at the company's unveiling event at Chelsea Piers in New York, October 2012. Windows RT source code, which runs on the Surface RT, is among the intellectual property at the center of a trade secrets theft case. Seth Rosenblatt/CNET
Microsoft defended what it called the "exceptional" step of a "limited review" of a blogger's Hotmail account as part of a larger Windows espionage case, saying it had caught the blogger selling Microsoft's intellectual property without permission.
A court filing alleges that the unnamed blogger had been provided prerelease Windows 8 RT source code by then-Microsoft employee Alex Kibkalo. Kibkalo is being charged with stealing trade secrets.
The filing says that Microsoft triggered an internal investigation into the blogger's actions when the blogger sent the source code to an unnamed person, hoping for verification of its origins. Instead, that person tipped off then-Windows chief Steven Sinofsky, who forwarded the details to Microsoft's Trustworthy Computing Investigations department, which investigates external threats and internal information leaks.
The March 17 filing (PDF) alleges that the unnamed blogger confessed to selling Microsoft's intellectual property.
During his interview, the blogger admitted to posting information on Twitter and his Web sites, knowingly obtaining confidential and proprietary Microsoft IP from Kibkalo, and selling Windows Server activation keys on eBay.
Microsoft provided CNET with a statement defending its actions:
During an investigation of an employee, we discovered evidence that the employee was providing stolen [intellectual property], including code relating to our activation process, to a third party. In order to protect our customers and the security and integrity of our products, we conducted an investigation over many months with law enforcement agencies in multiple countries. This included the issuance of a court order for the search of a home relating to evidence of the criminal acts involved. The investigation repeatedly identified clear evidence that the third party involved intended to sell Microsoft IP and had done so in the past.
As part of the investigation, we took the step of a limited review of this third party's Microsoft operated accounts. While Microsoft's terms of service make clear our permission for this type of review, this happens only in the most exceptional circumstances. We apply a rigorous process before reviewing such content. In this case, there was a thorough review by a legal team separate from the investigating team and strong evidence of a criminal act that met a standard comparable to that required to obtain a legal order to search other sites. In fact, as noted above, such a court order was issued in other aspects of the investigation.

55,000 Social Security Numbers exposed in VFW.org security breach

The Veterans of Foreign Wars(VFW.org) of the United States recently began notifying affected users that hackers were able to their personal information.

In February 2014 , attackers compromised the VFW's website and planted malicious code that infects users' system with malware who visits vfw.org from vulnerable Internet Explorer versions.  The attack was believed to be originated from China.

An investigation into the incident shows that names, addresses and social security numbers of approximately 55,000 VFW members were compromised in the breach.

The letter dated April 4 said back in March VFW became aware of the security breach.

"VFW has been informed that the purpose of the attack wasn't identity theft, but rather to gain access to information regarding military plans or contracts" The letter reads.

VFW said they are offering one free year of identity theft protection services from AllClear ID to the affected members.

Details of Over 480,000 people stolen from The Harley Medical Group


Hackers breached the server of an UK Plastic & Cosmetic Surgery company The Harley Medical Group and compromised personal details of over 480,000 people.

Sponsored Links
The individuals who have submitted their data via an initial inquiry form on the company's website were affected by this breach.

The information accessed by attackers include the names, email IDs ,date of birth, addresses and phone numbers , according to Hot For Security.  No clinical or Financial information has been accessed by attackers.

The company said it believed the attack was an attempt to extort money from the company.

"We have informed the police and will continue to provide whatever assistance they may require to track down the perpetrator of this illegal act" Harley chairman Peter Boddy said in the letter.

OpenSSL Heartbleed bug sniff tools are 'BUGGY' – what becomes of the broken hearted?

Software that claims to detect the presence of OpenSSL's Heartbleed bug in servers, PCs and other gear may falsely report a system to be safe when users are actually in danger, according to a security consultancy.
This finding is disputed by developers publishing tools that test for the vulnerability.
The teams behind Nessus, Metasploit, Nmap and others have each released utilities for sensing whether or not computers and gadgets are affected by the password-leaking Heartbleed flaw. "The problem is, most of them have bugs themselves which lead to false negatives results: that is, a result which says a system is not vulnerable when in reality it is," claimed Adrian Hayter, senior penetration tester at security consultancy CNS Hut3.
"With many people likely running detection scripts or other scans against hosts to check if they need to be patched, it is important that these bugs be addressed before too many people develop a false sense of security regarding their infrastructure," he added.
Hayter has put together a list of tools and scripts that he claims are faulty in a blog post here. Hayter said most of the tools available failed to detect the Heartbleed vulnerability on the Hut3 proof-of-concept server.
The results provide evidence that while the scripts are useful for demonstrating vulnerabilities, they should not be used as a tool for confirming whether systems are secure or not, according to CNS Hut3.
Both Rapid7, which markets Metasploit, and Tenable Network Security (Nessus) said they had modified their security testing technology in response to CNS Hut3's research – although they nonetheless questioned the security consultancy's methodology. Each vendor defended the general effectiveness of its Heartbleed probe.

OK - but you wouldn't see that setup in the wild...

Renaud Deraison, chief research officer at Tenable Network Security and the author of Nessus, said the firm had modified its technology in response to CNS Hut3's research, even though he questioned its methods. “The setup outlined in the April 14 blog in CNS Hut3 blog is interesting because it narrows down TLS so much that most web clients would not be able to connect to a server configured that way," Deraison explained.
"While our original check failed at negotiating this particular cipher, we've since modified it to support more cases like this one. There are many other ways where a check could fail however, for instance a lot of the public proof-of-concepts only test https, but completely ignore other services using SSL such as SMTP, IMAP or OpenVPN.
"Our research team has been working around the clock to cover as many of these services as possible since day one, and we're continuing to investigate other programs using SSL in a non-standard way,” he added.
Tenable has since refined the plugin that CNS Hut3 had deemed faulty: it now detects what the security vendor described as an "edge case". The security vendor has almost 20 Heartbleed detection plugins for local and remote checking with Nessus and SecurityCenter, and also provides detection via passive and log analysis.
Rapid7 told El Reg that it had four free testing tools for ‪Heartbleed‬ and that these were "steadily updated & improved as info or bugs are reported".

Achy breaky heart

CNS Hut3 said it didn’t encounter any false positives: it only saw incorrect negative readings when it put the testing tools through their paces.
Unsurprisingly, the penetration-testing firm has also developed its own standalone tool for detecting whether systems are affected by the Heartbleed OpenSSL vulnerability, which it tested alongside established pen testing utilities such as Metasploit.
It said one sysadmin reported that CNS Hut3's script made HP iLO servers unresponsive.
Hayter said the incident was isolated but it does illustrated the importance of quality assurance in safely testing for Heartbleed (and many other) vulnerabilities.
"There are always dangers with vulnerability testing, because ultimately to test for these vulnerabilities you have to try to exploit them, and whilst you can write exploits that safely work on 99.99 per cent of systems, there’s always going to be that 0.01 per cent which react differently," Hayter told El Reg. "The problem we have here is that Heartbleed is such a dangerous bug, and people want to know immediately if they are vulnerable, so waiting for QA processes to complete before testing is not an option."
He added: "There is a great way to test for this vulnerability without running scripts at your systems: check the version of OpenSSL installed. Of course, whilst this can be done by organisations with small number of machines, it will be a big task for the larger companies, especially if they didn’t have a patching policy in place that covered Linux systems."
Heartbleed is a bug in a cryptographic library that ships with OpenSSL, uncovered last week but present for two years, that creates a means to lift sensitive data such as cryptographic keys from the memory of systems.
Heartbleed exploits work by sending a TLS heartbeat request with a certain number of bytes as a code (eg, the word “CNS”, which is three bytes in UTF-8) but telling the server that the code is actually longer. The server performs no check that the requested code is the length claimed by the request, so it responds with both the code and the specified number of extraneous byres stored after the code in the server memory.
All a detection script has to do is check whether the response code from the server is longer than the code that was sent. "False positives are actually quite hard to come across because of the way Heartbleed is detected," according to Hayter.

Arts and crafts store Michaels says 3 million credit cards exposed in breach

As the officials investigating the Target data breach are settling in for what they believe will be a long and complex process of catching the hackers behind the heist, another US retailer is admitting that it lost millions of customer payment card details.
Arts and crafts store chain Michaels said that it has confirmed the exposure of as many as 2.6 million customer payment cards from a malware infection which captured and transmitted card details from the company's point of sale (POS) terminals.
According to the company, the attacks occurred between May 8 of last year and February 27, 2014, and impacted roughly 7 per cent of all cards used in the US at Michaels and affiliated Aaron Brothers stores over that period. The company has received reports of the compromised cards being used for fraudulent activity.
Michaels first gave word of a possible breach in January when it first received word of the fraudulent charges on customer payment cards. In the weeks since, the company said that it employed two outside firms to investigate the matter. The company said that both firms traced the breach to a zero-day malware infection that infected the POS terminals and lifted card numbers and expiration dates. PIN numbers and customer address information were not believed to have been compromised.
The company said that it will provide customers who were impacted by the breach with fraud monitoring and identity protection services. The company gave no word on a possible source or point of entry for the breach.
Meanwhile, investigators with the US Secret Service are gearing up for a long and difficult process in tracking down the person(s) behind the breach at Target retail stores.
In an interview with the Associated Press, investigators admitted that it could take years before law enforcement is able to make an arrest, as international laws and red tape could slow the process of apprehending and charging the hacker(s).
That breach, which was traced back to the systems of a contractor which had access to Target's financial platform, resulted in the loss of 40 million user accounts, and will likely impact Target's financial returns for years to come.

Netcraft adds Heartbleed sniffing to site-scanning browser tool

Internet stats clearinghouse Netcraft has released a new tool aimed at letting consumers know when the sites they visit might have been compromised by the Heartbleed encryption bug.
There are lots of tools available that can scan servers to determine whether they're affected by the Heartbleed vulnerability right now, albeit of varying effectiveness.
What makes the new version of the Netcraft browser extension different is that it queries historical data to see whether a site might have been vulnerable prior to the Heartbleed disclosure, even if it has since updated its OpenSSL libraries.
In addition to upgrading their SSL code, sites that were previously vulnerable should also replace their SSL certificates. That's because their old certificates could have been compromised during the time they were running the flawed OpenSSL libraries, potentially allowing attackers to impersonate the sites in phishing attacks and other scams.
If the Netcraft extension determines that a site was vulnerable before news of Heartbleed broke, it checks the date on the site's SSL certificate to make sure it has been recently replaced. If it hasn't, the extension displays an alert.
You might be surprised at some of the high-profile sites the tool still counts as suspicious, too. According to Netcraft's blog post announcing the new tool, social site LinkedIn has already replaced its SSL certificate, for example, but international shipper FedEx has not.
"Fedex's website is hosted by Akamai, a popular Content Distribution Network, which was potentially vulnerable to Heartbleed," Netcraft's Paul Mutton wrote. "Akamai is in the process of rotating its customers' SSL certificates and stated that 'some require extra validation with the certificate authorities and may take longer'."
Netcraft's updated browser extension is available as a free download for Firefox 1.0 and later; Chrome 26 and later on Windows, OS X, and Linux; and for Opera 15 and later on OS X and Windows. Versions for other browsers aren't available, unfortunately, which means users of Internet Explorer and Safari are left in the dark.

LaCie warns of suspected credit card data breach

LaCie hard disk drives 
 Hard-disk maker LaCie was acquired by US company Seagate in 2012
French computer storage specialist LaCie has said credit card details and passwords of shoppers who used its site may have been stolen.
The hard-disk maker said the FBI had alerted it to "indications" of a hacker having used malware to copy details entered into its online store.
It added that the suspected breach was thought to have lasted from 27 March 2013 to 10 March this year.
Experts said it was unusual for such a problem to go unnoticed for so long.
"It is a major breach," Ron Austin, senior lecturer in computer security at Birmingham City University, told the BBC.
"LaCie is a fairly big company and you would question their information security policies.
"No expert can guarantee 100% security, but it goes back to compliance and ensuring that if you're offering services out on to the web that you are carrying out regular checks."
LaCie Private-Public software 
 LaCie sells encryption security software on its website
LaCie was taken over by US tech company Seagate in 2012, but still sells goods using its name.
The attack, if confirmed, could be particularly damaging for LaCie as the brand has security products among its wares.
Independent tech consultant Graham Cluley said the company had been left with "egg on its face".
"In an ideal world, attacks get prevented in the first place and you have done enough work to secure your website and maybe hired some penetration testers to see if there are vulnerabilities," he said.
"If you can't prevent it in the first place, hopefully you can pick it up while it's occurring and deflect it.
"Clearly LaCie did fail in some way. They should have spotted something was happening."
LaCie shop 
 LaCie said it had disabled its online store while it shifted it to a secure payment specialist
Adobe flaw A statement on LaCie's website said that shoppers should check their bills for fraudulent charges and that they would need to change their logins when its store reopened.
"The information that may have been accessed by the unauthorised person may include customers' names, addresses, email addresses, and payment card numbers and card expiration dates," it said.
"Customers' LaCie website user names and passwords could also have been accessed, which is why we required a reset of all passwords."
Adobe ColdFusion 
 Hackers are believed to have exploited flaws in Adobe's software
The statement said that LaCie was alerted to the problem by the FBI on 19 March.
However, security blogger Brian Krebs had warned the company earlier that month that its site might have had credit card data stolen by a criminal gang exploiting vulnerabilities in Adobe's ColdFusion web application development software.
On 17 March Mr Krebs reported that LaCie had told him that its preliminary investigation had found no indication that customer data had been compromised.
But in a follow-up article, Mr Krebs said that LaCie had now acknowledged there were "indications" that someone had used malware that exploited the flaws in Adobe's code.
Mr Krebs added that other companies that had fallen victim to related attacks included the US credit card processor SecurePay and the jam-maker Smuckers.
For its part, Adobe has urged owners of its software to make sure they are using the latest release.
"We have no information regarding this incident outside of published reports," said a spokeswoman.
"However, the majority of attacks we see are exploiting software not up-to-date on the latest security updates.
"Adobe therefore strongly recommends that users install the latest security updates as the best possible defence against those with malicious intent."