CRITICAL SECURITY VULNERABILITY – “heartbleed”

A bug in the OpenSSL protocol that encrypts and protects our web page logins and passwords has been discovered and was announced on April 7, 2014. Web servers are being patched rapidly to close this hole. But in the meantime, our passwords and other important credentials (certificates and keys) may have been revealed. The vulnerability seems to have existed, mostly un-noticed, for about two years, but has only been public knowledge for a few days. Any web site using the “https” prefix that we’ve logged in to during the past few days may have allowed information to leak and it’s possible for leakage to have occurred over the last two years.

WHAT SHOULD WE DO?

  • Make a list of all secure transactions we’ve used for the last two years that contained important information and the sites that hosted them
  • Prioritize the list: some may be critical, others not so much
  • Test the sites: http://filippo.io/Heartbleed/
  • Once a site tests as safe, change our password
  • As we update our passwords, consider improving our password practices:
    • make them longer and more complex, use phrases and unusual/special characters (just using the “space” character in a phrase of several words helps)
    • store them in a encrypted password saving program so they’re safe and we are less afraid to use long, complex passwords
    • never re-use the same password on different sites

The Heartbleed Bug – [heartbleed.com]

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Comments are closed.