OpenSSL Servers, https, Heartbleed and you...

[GrySql]

Lifelock just set me a letter regarding this security issue so I thought I'd pass some of that info on.

-

Internet Hackers have been using the Heartbleed Bug to collect private, personal and financial data according to Lifelock (some say for at least two years).
This is a much bigger threat than the ‘Target Stores data breach’ of last year, 56% of ’secure’ websites that use OpenSSL web servers are vulnerable.

Info on this:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

http://mashable.com/2014/04/09/heartbleed-what-to-do/
http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/
http://heartbleed.com/

About better passwords:
http://www.dailyfinance.com/2011/07/09/how-to-create-a-safe-memorable-online-password/
http://www.technewsdaily.com/2347-how-to-create-remember-super-secure-passwords.html
-
For you Smartphone users, this is a good read as well,
Using your smartphones and iPads/tablets/laptops at places like Starbucks public wireless is a bad idea for business or financial topics:
http://www.lifelock.com/pr/2013/10/22/lifelock-survey-smartphone-mobile-identity-theft-threats/

 

===

Edit:

BTW, there is a website that will check any other URL to see if it's vulnerable to Heartbleed, it's here:

https://lastpass.com/heartbleed/

 

I just ran this FFH Forum through it and this is their result:

Edited April 13, 2014 by GrySql

[acdii]

Iphones are not safe, Cisco has determined them to have this issue, and they are working on a patch for the Anyconnect Mobile client to help mitigate problems when using VPN. The Androids though have been verified clean. Thankfully the majority of Cisco products have passed inspections, only a small handful of products have this vulnerability. However, there are 3 critical bugs found this week on their firewalls which I now have to setup upgrade windows on at least 200 firewalls. Grrrrr.

 

When it comes to using your phone for banks and other financial transactions where personal information is used, if you do it on a public accessed wireless connect(starbucks), turn OFF your bluetooth! You would be surprised how easy it is to pair your phone without you knowing it and grabbing all your information.

[GrySql]

To make sure this Heartbleed hack is understood properly I'd like to mention to not confuse it with everyday cellphone security precautions and firewalls.

 

This Heartbleed hack is about the websites themselves being insecure because of the type of Server software they use.

It doesn't matter how you access an insecure OpenSSL website with an old Security Certificate, it will be open to exploitation if the Server software is not patched or brought current.

 

If you are concerned, use this security checker to see if your bank or other frequently used website is vulnerable, or send their webmaster an email.

https://lastpass.com/heartbleed/

 

I sent a couple emails last night to webmasters and was surprised at how fast I got a response, they are patching and updating quickly to this threat.

That is good. However there are many websites that are not as diligent about security as they should be and you might want to be a bit more careful.

Your choice.

Edited April 14, 2014 by GrySql

[jeff_h]

If you are concerned, use this security checker to see if your bank or other frequently used website is vulnerable, or send their webmaster an email.

https://lastpass.com/heartbleed/

 

Here is another site to check the SSL connection of a given site, don't know if it is run by the same outfit by it's the one the IA guy on my team provided to me:

 

https://www.ssllabs.com/ssltest/index.html

[GrySql]

Well, just when you've finished changing all your passwords, there is this:

--

Russian criminals have stolen 1.2 billion Internet user names and passwords

 

http://www.zdnet.com/russian-crime-ring-reportedly-nabbed-1-2-billion-online-credentials-7000032353

http://www.lifelock.com/education/crimes/russian-crime-ring-steals-billions-of-passwords-online-records/

http://money.cnn.com/2014/08/05/technology/security/russian-hackers-theft/index.html

Edited August 9, 2014 by GrySql

[Ram]

Sorry to say, this internet is not as safe as the Andy and May-berry little town. It is rough business being on the net, every bit of every thing you do or post on the net is in the public domain and open to be hacked or stolen by any one for any reason. If you value something, like your name, address, phone number, place of work, any other personal information family members, pictures with reflections that can ID your location or has a geo-tag, your a target. Passwords, bank account numbers etc... are prime targets. I don't care how current your firewall, antivirus or security measures are, they are all targets for hackers.

 

Bottom line is, if you don't want someone to know your business on the net, post nothing. As for banks, and other business its wise to verify their network posture and have them confirm your information they have on you is secure as they can make it. If that is really possible in this day with hackers as they are.

 

Thread above is filled with good info.