« Browser security – an update for 2014 | Main | How to Unblock an IP address if LogMeIn has blocked it »
Thursday
Apr172014

“Heartbleed” vulnerability

There has been a great deal of press about this vulnerability in recent days, and it’s difficult to determine exactly what an individual’s exposure is, reading through the coverage. Think of the Year 2000 issues but imagine if everyone had just realized the issue on December 31, 1999. On a smaller scale, that’s pretty close to the chaos that’s ensued since this was identified.

Generally, there is little a user of the internet can do directly to protect him/herself from this, since this exposure happens on a service provider’s server0409_heartbleed_970-630x420and not on the user’s computer. Further, while many security vulnerabilities give the bad guys access to stored information (credit card numbers, passwords, account numbers, etc.), this one gives unauthorized access only to a snapshot of what happens to be in a server’s memory at a point in time. A subtle difference, but an important one when considering the exposure.

Our best advice: if you’re worried about a given password – either because it’s for a service that was affected, or because you use it in multiple places, or “just because”, then change it. Change it to a “good” password. One that is 8 or more characters long, and uses three of these four groups: upper case letters, lower case letters, numbers, special characters. Don’t use your name, or your dog’s name, or your birthday (or your dog’s birthday) in the password. If you use a word or number in the password, make sure it’s not one that can easily be tied back to you. For example, DAF!090657 technically would be a “strong” password, but it could be cracked, if I used it, in a fraction of a second by password cracking software. Passwords that are a random jumble of letters, numbers and special characters are best, but are hard to manage unless one uses a password manager like Roboform or LastPass.0409_heartbleed_970-630x420

Keep in mind that if a provider of service for you has identified but not yet patched this exposure, you’ll have to change the password again after the service is patched. If you use the same password (as you should not) for multiple online services, then you put yourself at additional risk for two reasons: 1) because a password mined using a vulnerability like this could be used to access your information at multiple online services, and 2) because, if you change your passwords now but one or more smaller services you use hasn’t patched this vulnerability yet, you’ll have to change them all again. You should never use the same password at multiple sites, for just these reasons. For now, changing your password at larger, affected sites, monitoring email traffic about online services, and monitoring credit card statements, is about as much as a user can do.

0409_heartbleed_970-630x420Broadly speaking, Amazon.com, Apple services (me.com, icloud.com), eBay, Evernote, LinkedIn, Microsoft services (msn.com, hotmail.com, outlook.com), PayPal, Twitter were not affected by this.

Broadly speaking, Amazon Web Services, Dropbox, Facebook, Twitter, Google/Gmail, and Yahoo were affected, and have patched their systems to eliminate the exposure. It would be a good idea to change your passwords at these services.

 

You’ll notice I mentioned Twitter in each group, above. See how hard it is to tell?

If you have a service provider that is not one of the big ones (a regional bank, or smaller provider of some service), you should contact that provider to determine its status.

ITCFrom a service provider perspective, the services that are at the heart of what Interconnected Technologies uses and recommends for our clients were not and are not vulnerable to this issue. Zendesk (our helpdesk service), Freshbooks (our time tracking and billing service), PayPal and Stripe (our credit card processing service), Wells Fargo (our banking service) Rackspace (Exchange service), Jungledisk (backup service), Egnyte (file services) and all services from Microsoft were not affected by this issue.

Only one service widely used by some Interconnected Technologies clients, Google Apps, was vulnerable to this, since it’s based on Gmail. Google patched the vulnerability immediately, and so the cautious approach would be to change any Google / Gmail / Google Apps passwords now. Contact us if you have questions about this or need help doing this.

These are some reference sites for this issue. A quick look will show that things are still in a state of flux as of this writing:

This is a very fluid and murky situation in which we find ourselves. The outline above is a good general guide, but as always we stand ready to provide our clients with tailored advice and solutions for their unique situations and needs.

References (3)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Heart vulnerability is ensured here for the removal of the weakness and feeble aspects. It is the impressive and controlled for the right and entirely done things. It I the feed and consumed in all realm and ambit of the prospects.
  • Response
  • Response
    Matt and Greg you are marvelously striking that you do this sort stupifing show I like your show and this show is to a brilliant degree dumbfounding when any clear particular take a seat with them they treat particularly well and make the show surprising I listen the sound of this ...

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>