Friday, April 11, 2014

The Heartbleed Of America

If you have been paying attention to the news in the last few days you are likely aware of the "Heartbleed" vulnerability with secure Internet sites.

There are different implementations of security for websites, so figuring out which ones are vulnerable can be tricky. The permutation that is at risk to this vulnerability is OpenSSL. Not all sites use OpenSSL. Those that don't are not subjected to this issue. SSL, which is short for Secure Socket Layer is what is used to keep our communications to servers across the Internet secure. Any site that provides you with a login and password should be using SSL.

Some websites you have an account with may send you an email telling you to change your password. Please be advised that times like this there may be an uptick in email phishing schemes so do not click any links in emails purporting to be from those sites, rather go to the site directly by typing it in your web browser (or auto fill from your password manager applications). Phishing schemes often look like the real deal, but clicking links will take you to a spoofed site and steal your credentials.

You may be thinking, "What's the difference if my info has already been stolen?" The fact remains that it is unclear whether or not anyone's personal information has been compromised through the "heartbleed" vulnerability, so it is important to remain careful in how you handle your online business. It is unlikely that a hacker would target smaller sites, however those are the sites that may also take longer to patch the problem.

It does no good to change your password for sites that are still vulnerable. The last thing you would want is to change your password for those sites now, only to have the new password stolen before the site was patched. My recommendation is to change your password on those sites that have indicated that they have patched the vulnerability.

This Mashable article is fairly comprehensive in its list of popular sites with which you may have accounts. If a site is not listed here then you may need to go to the site itself for more information for their security recommendation.

I am really disappointed that over 75% of the sites I have accounts with have failed to disclose information regarding this issue. Most companies have remained silent saying absolutely nothing about this vulnerability. I find it egregious that many of the silent have no problem taking our money, but can't be bothered acknowledging that this vulnerability exists. If they don't use OpenSSL then why not just put a statement out there saying they aren't vulnerable? I don't need to know what implementation of SSL they use, nor do I care. I simply want, and need, to know if I have a reason to change my credentials. I applaud those sites that have indicated, one way or the other, the risk involved.

I think this is a good time to suggest, again, the use of a password manager if you do not have one. When you change your passwords length matters. So does randomness. And, so does creating a unique password for every login you have. All of the best Password manager tools can help you create really strong passwords. I recommend 18 character passwords (these days anything less than 13 is considered too short). For more information on passwords refer to my previous post: Pass The Word About Passwords

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.