A boutique cyber security consultancy offering a variety of information security consultancy and compliance services designed to meet the individual needs of SME’s, public sector organisations and larger corporations, who want to protect their business and enhance the overall security of their internal and external information systems.
A boutique cyber security consultancy offering a variety of information security consultancy and compliance services designed to meet the individual needs of SME’s, public sector organisations and larger corporations, who want to protect their business and enhance the overall security of their internal and external information systems.

Does your online service Heartbleed?

You may have seen the news about yet another security problem to affect the internet. This time it is called Heartbleed, and it is a problem with some implementations of SSL, the security mechanism that keeps your communications with the site, service or email secure or in non technical speak the little padlock thing on your facebook/bank/ebay/shopping site etc.

The question is “should I worry?”

YES but don’t panic.

“But some news sites have said I should change all your passwords.” (Usual media over reaction)

DO NOT CHANGE YOUR PASSWORD YET.

Keep calm!

This bug is very serious but not every service/site is affected as it is a problem with a certain versions of OpenSSL versions 1.01 & 1.0.2-beta and not everyone uses these versions let alone OpenSSL.

Basics

This bug allows a message to be sent to an affected server to ask it to respond with more information that it should. The information returned could contain username and passwords stored in memory on the server. A more detailed explanation is on the heartbleed site or check out this comic from the excellent XKCD

Heartbleed Explanation
Heartbleed Explanation

There is a fix and this needs to be put in place before you should change your password.

“What can I do?”

Keep an eye out for a message posted on your favourite service about this vulnerability and if they are affected and if they have fixed it? Twitter is a good place for this information. All services will use some form of SSL to protect your data so this will mean checking every site/service you login to, such as, Banks, Shopping sites, Government, Tax, Email, File sharing, Social Media etc

If they are affected try not to use the service until they have fixed it.

Once they have fixed it, change your password.

As with all passwords make sure it is unique (don’t use the same one for everything). Use a mix of letters, numbers, and symbols. Pass-phrases are better and easier to remember or use a system like 1password  to create and manage your passwords for you.

A list of some services and their response to #Heartbleed so far

  • 1Password (a great blog post) (Not affected)

  • Google Services some affected including gmail now fixed (CHANGE YOUR PASSWORD)

  • Facebook (was affected) now fixed (CHANGE YOUR PASSWORD)

  • LinkedIn (Not affected)

  • Tumblr  (was affected) now fixed (CHANGE YOUR PASSWORD)

  • Twitter (Not affected)

  • Amazon (Not affected)

  • ifttt (was affected) now fixed (CHANGE YOUR PASSWORD)

  • Yahoo (inc email) (was affected) now fixed (CHANGE YOUR PASSWORD)

  • Flickr (was affected) now fixed (CHANGE YOUR PASSWORD)

  • Hotmail/Outlook (Not affected)

  • Dropbox (was affected) now fixed (CHANGE YOUR PASSWORD)

  • Evernote (Not affected)

  • Skype (unknown) Support seem clueless

  • Boxcryptor (was affected) now fixed (CHANGE YOUR PASSWORD)

  • Eventbrite (affected)

  • Paypal (Not affected)

A good site that is being regularly updated about Hearbleed is here

UK Banks

Nothing, not a peep from them……Yet

Information may change but was correct as of 09:00 GMT 10/4/14