If you’ve been online or watched TV over the past 24 hours, you’ve likely heard something about the “Heartbleed Bug”. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
And while it may seem like it’s time to panic, it’s not. It’s just time to be vigilant. By some estimates, this bug could affect around two-thirds of web servers and it could affect sites you log into — email, social networks, even a VPN you might use for work. Here are some recommendations to consider:
1. CHECK VULNERABILITY: You can easily check whether your website, apps or any products use OpenSSL and whether they are vulnerable to the attack. Use http://filippo.io/Heartbleed/ to run the check.
2. REGENERATE KEYS: Regenerate all private keys that your site uses whether or not vulnerability has been detected.
3. UPDATE OpenSSL: Update to the latest version (1.0.1g or above) which fixes the defect.
4. RESET PASSWORDS: Consider resetting end-user passwords that may have been visible in a compromised server memory.
5. REVIEW TECHNCIAL Q&A: Take a look at the more technical Q&A at http://heartbleed.com/. If you have further questions about the bug or how to remediate it feel free to contact DSS.
• CHANGE PASSWORDS: Be on the lookout for any notices from the vendors you use. If a vendor has communicated that their customers should change their passwords, users should do so.
• AVOID PHISHING EMAILS: Pay attention to details to avoid potential phishing emails from attackers asking you to update your password. You can always avoid going to an impersonated website by using the official site domain.
• USE REPUTABLE WEBSITES: Be wary of sites you’re not familiar with or haven’t been to before and stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability.
• AVOID SHARED WIFI: Whenever possible avoid shared WiFi since attackers have their best access to your communications when you’re sharing a network with them.
• MONITOR PERSONAL INFO: Regularly monitor your bank and credit card statements and be sure to check for any unusual transactions. Contact your provider if anything looks out of the ordinary.
If you still have questions and want help understanding the Heartbleed Bug, feel free to contact DSS.