Heartbleed is serious.
What is it?
The Heartbleed Bug is a vulnerability in the popular OpenSSL cryptographic software library. It allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
NSA Knew About Heartbleed
From Tyler Durden at Zerohedge.com: “It is one thing for the NSA to spy on everyone in the world, especially US citizens because all of them are obviously potential “terrorizers” just waiting for their opportunity to blow shit up (except for anything in close proximity to the Boston marathon – those things the NSA promptly filters out), but when the NSA itself is found to have not only known and itself abused the prevalent and widespread Heartbleed bug, but left consumers exposed, then it may be time to finally launch a class action lawsuit against Obama’s favorite means to eavesdropping on the entire world.” http://www.zerohedge.com/news/2014-04-11/nsa-abused-heartbleed-bug-years-left-consumers-exposed-attack
You Are at Risk
Even the big anti-virus folks have been affected. 95% of the detection tools failed. “Symantec has identified that some of its products may be impacted by the OpensSSL vulnerability, dubbed Heartbleed. We have begun issuing advisories to our customers to alert them and provide mitigation solutions while we work to deploy any necessary patches.” http://www.symantec.com/outbreak/?id=heartbleed&sl=QWHND-0000-01-00
What To Do
Reset ALL YOUR PASSWORDS. Ask your provider to confirm they have patched BEFORE resetting your password. If you re-set prior to the patch you are just increasing the chance of handing out your username and password . They may have a public statement, or you can contact them to check. How to tell which passwords you need to change because of Heartbleed
Check Websites You Use
- To find out if a site was vulnerable first see the Heartbleed Hit List on Mashable or type out the site in question in LastPass. Also Google “[site] heartbleed” to find information directly from the source. I started with my most important accounts (email, finance, anything I entered a credit card into).
- You’ll see if they patched the SSL bug from the step above. If they haven’t, wait until they do before you change your passwords. (Most sites already have done this.)
- To find out if they’ve reissued their SSL certificates, check the issue date in the tools above. For example, the LastPass Heartbleed checker usually shows when the certificate was issued. If there’s no date, look it up in digicert.
The clearing firm for many of my clients accounts is Pershing. Pershing, has reviewed all of the client-facing systems, which include NetX360, NetX360.com and NetXInvestor, and determined that these systems are not vulnerable to the Heartbleed Security Bug. It is also important to note that Pershing spends a significant amount of time and money each year focused on protecting their systems in an environment of evolving and increasing security threats.