Heartbleed Bug: The bare facts, and the (mostly) simple solution.

by Eli Abrams

Heartbleed is not a virus, but a software bug.

The Facts:

Heartbleed is an exploitable bug in the way that servers running OpenSSL with the heartbeat feature can securely communicate with devices requesting information over the internet.  The best simple description for Heartbleed that I’ve seen was done by Randall Munroe of XKCD.

Fixing Heartbleed is a two step process.  First, you patch the bug in the software, then you protect any potentially compromised information.

Who needs to patch their systems?

  • Workstations, laptops, tablets, and phones are mostly unaffected, with some exceptions:   Android version 4.1.1 phones, Cisco VOIP desk phones, some software products, including VPNs, VMware,Oracle,
  • Most servers will be fine, only servers using OpenSSL and the heartbeat feature should be affected.

If you think you are affected, or a vendor has sent you a notification that your equipment may be affected, then you need to immediately verify if your equipment is affected, and if so, ensure it has been patched.  One of the many tests available, will check your webpage for you. If you are not sure if you are affected, call or email us with questions.

 

The Fix:

Even if you don’t need to patch your systems,YOU ARE STILL AFFECTED.  Many large Internet businesses were affected, but they have since installed the patch.  To start to protect yourself, you need to change your account passwords for any affected sites.  Please remember the best practices for passwords.

1: Use separate passwords for each site

2: Make your passwords more complex  (longer is better)

3: Don’t use words found in a dictionary.

Affected Companies include:

  • Google / Gmail / Youtube
  • Yahoo / Yahoo Mail
  • AT&T webmail (hosted by Yahoo)
  • Facebook
  • Instagram
  • Pinterest
  • Tumblr
  • Reddit
  • Etsy
  • Godaddy
  • USAA
  • Flickr
  • Netflix
  • IFTTT
  • Github
  • OKCupid
  • Box
  • Dropbox
  • Wikipedia
  • SoundCloud
  • Minecraft
  • Wunderlist
  • Amazon Web Services (not Amazon.com)

The Future:

Security Experts are finding that this bug affects more systems than previously thought, there has already been another attack vector discovered called “Reverse Heartbleed”, which uses a malicious server to attack a client connecting to it.

Until all companies who have a web presence change their passwords, reconfigure their servers’ security credentials, and release updated mobile apps, DO NOT USE any mobile apps to connect to a compromised, or formerly compromised site.

Just to be on the safe side, plan to change all your passwords again in May or June 2014.

Leave a Reply