Thursday, April 10, 2014

Alert: Heartbleed bug hit the press on Monday and involves an exposure with OpenSSL.

I was in an Amazon seminar yesterday where the Chief Technical Officer let the audience know they are keeping customers informed and had or were patching their systems. I decided to investigate.

The site has been set up by the researchers who discovered the bug so it is good reference as opposed to the general media. The general media however will be better in terms of listing services people are using. For example the site has a good list of services affected.

One of my concerns is that people may not be aware of devices they use that may or may not be exposed. For example I have an ADSL router as do most households and I've noticed that companies such as Netcomm and DLink use open source in their routers.  My ADSL modem/router has been in the home for some time. I wondered when the issue started.

For the site we can see the bug was introduced in December 2011 and released in March 2012.

'Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.'

The site has a good list of services which may have been compromised. Keep in mind if hackers have been recording data then past data could be used.

The lesson here is you should be using different passwords for different services. That means that if one site has an exposure all of the services you use are not exposed. Changing your password is a good idea, but keep in mind if you're using a single password across sites and one of the sites is still compromised, then your credentials could still be compromised.

Kelvin Eldridge

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.