HeartbleedMonterey Bay Design

Heartbleed

heartbleedThrowing together a last minute post under any circumstances is difficult – for me anyway. I agonize over details.  However, this is important and I wanted to get this out there in some  form – quick and dirty.

Amended: These sites have helpfully documented the servers that have been patched that needed it, those that didn’t need it (not using OpenSSL) and those passwords you do and don’t need to change. Good lists. There is some crossover, but still very helpful:

List on CNET.com
List on Mashable.com

Any security vulnerability that gets its own logo, website and theme song, you know it’s pretty important.  In a nutshell,  it was discovered just a few days ago that a serious vulnerability has been sitting unnoticed for the last 3 years or so in the primary security protocol in use today for the internet –  that’s the whole interwebs, folks.  It’s called Heartbleed.

From Heartbleed.com: “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

The OpenSSL software has released a patch already and most reliable webservers will have patched this vulnerability by now. The OpenSSL has already been patched on the server that houses all of Monterey Bay Design’s websites.  The bottom line is, you need to do  a little housekeeping.

From NPR.com:  Chartier (David Chartier, CEO of Codenomicon) and other computer security experts are advising people to consider changing all their online passwords.

“I would change every password everywhere because it’s possible something was sniffed out,” said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. “You don’t know because an attack wouldn’t have left a distinct footprint.”

But changing the passwords won’t do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords.

By the way, I was only kidding about the theme song, but in my head, I’m hearing The Mod Squad.

For more information, please visit:

http://heartbleed.com/
http://www.npr.org/templates/story/story.php?storyId=300645082
http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/

To use the Heartbleed test,  go here:  http://filippo.io/Heartbleed/
Example: bankofamerica.com:443

 

Leave a Reply