April 16 2014, Datazeal informs and advices her clients on ….

Datazeal informs and advices her clients on the recent security vulnerability on the internet – ‘Heartbleed’

Businesses should not only know about Heartbleed, they should have already implemented Heartbleed fixes by now.  If your bank, favorite online merchant, or software provider hasn’t yet, close your accounts and find new ones. That will be a wise thing to do, if they are not security conscious.

With Heartbleed, your user-ids, your passwords, your credit-card numbers, everything you place online is potentially not safe.

What is heartbleed ?heartbleed

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”. Forbes cybersecurity columnist Joseph Steinberg wrote, “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.”

A United States Cabinet spokesman recommended that “People should take advice on changing passwords from the websites they use… Most websites have corrected the bug and are best placed to advise what action, if any, people need to take. On the day of disclosure, the Tor Project advised anyone seeking “strong anonymity or privacy on the Internet” to “stay away from the Internet entirely for the next few days while things settle.

What to do

Since anything running OpenSSL might be at risk, you need to be aware of your environment and check all servers, devices or applications for anything running OpenSSL 1.0.1 through 1.0.1. This should apply to both internal and external-facing systems; don’t assume a server to which only your local users have access is safe. You can check public websites for the Heartbleed vulnerability using this test page: http://filippo.io/Heartbleed/

As a service provider, let your customers know and Update the appropriate systems to OpenSSL 0.9.8, 1.0.0 or 1.0.1g. An advisory site called heartbleed.com recommends that: “If an upgraded package is not yet available for your OS, software developers can recompile OpenSSL with the handshake removed from the code by compile time option ‘-DOPENSSL_NO_HEARTBEATS'”

As a user , first confirm if the sites you normally use are affected  (vulnerability using this test page: http://filippo.io/Heartbleed/)  then change your passwords after all. If the site is not yet protected, changing your password still exposes you.

More info

Link 1

Link 2

Link 3

Link 4