11 April 2014

Heartbleed – You MUST take action!

What is Heartbleed?

If you haven’t heard of the Heartbleed (CVE-2014-0160) bug in the OpenSSL library, it’s time to pay attention! I’m not going to regurgitate already available information here, but I’ll provide some pointers for you to get more of said information. There’s a good explanation of the bug located here. If you think it isn’t serious, consider the fact that services such as Google, Facebook and YouTube were affected while at the same time, hardware manufacturers did not escape scott free either. Cisco published a security advisory here noting affected equipment as well as equipment being investigated for the vulnerability.
What do I need to do?

Here’s a non exhaustive list of things to do in order to address this:
Make a list of services you use. CNet maintains a page with a list of the top 100 US sites which should give you a good starting point. If you are not using a password manager such as RoboForm, now might be a good time to consider starting to use one. I personally use RoboForm and because I do, all my services are within easy reach. It makes the creation of this list automatic and more importantly, it will have services on your list that you may forget about because you don’t use them on a daily basis. Remember, this bug has been around for 2 years!!! Any vulnerable service you accessed over the past two years could have resulted in your security passwords being stolen.
Once you have the list, check each of the services for the vulnerability. There are several checkers out there like this one from LastPass. Personally, I like this one published by Filippo Valsorta.
Once your service site clears the check, change your password. It’s important NOT to change your password until the service provider has both patched their software AND updated their SSL certificates. Changing your password before both of these are done, would still leave you vulnerable.
DO NOT access any vulnerable services until they’ve been patched and are secure again. The very first login to a previously vulnerable service should be to change your password. Once changed, logoff completely and then log back onto the service using the new password. For an extra measure of security I would recommend doing it in Incognito or InPrivate mode in your browser, closing the browser between logons.
If you’re responsible for hardware, be it at home or at work, do research to see if your hardware such as routers are affected. If your hardware is affected, patch it! If no patch is available, pull the hardware and replace it with something that isn’t vulnerable.

It’s important to realize that it’s going to take time to patch all the services, especially smaller sites, and that continued use of these services will remain risky unless they’ve been properly secured.

Well what are you waiting for???!!! Get started!!! (And you thought you’re going to be doing this and that over the weekend… )


No comments:

Post a Comment

Comments are moderated only for the purpose of keeping pesky spammers at bay.

SharePoint Remote Event Receivers are DEAD!!!

 Well, the time has finally come.  It was evident when Microsoft started pushing everyone to WebHooks, but this FAQ and related announcement...