Tag: Heartbleed

13 May 2014

One Month After Heartbleed, Are You Still Vulnerable?

heartbleedDespite a month having passed since the discovery of the Heartbleed bug, many websites are still vulnerable to having sensitive information exposed. Recent reports have shown that over 300,000 servers are still vulnerable to Heartbleed; while this is a significant drop since the discovery of the bug, such high numbers are still concerning, especially because it can be difficult to determine if the web services you are using are still vulnerable or not.

Even sites that have taken action to protect against Heartbleed may still be vulnerable. A report this week found that while many sites had taken the appropriate reaction of revoking and issuing new SSL certificates for their websites, over 30,000 sites had signed new certificates using the same private key. Notably, this includes several Canadian government agencies. Since private keys were vulnerable to exposure through Heartbleed, any new certificates signed with a compromised key would be vulnerable to impersonation.

While Echoworx was never vulnerable to Heartbleed and major services have been patched, you should remain aware of the possibility that websites you use may still be vulnerable and exposing your personal information. If you have yet to take action regarding Heartbleed, read our previous guide to personal security for important steps.

24 Apr 2014

Heartbleed – A Step by Step Approach to Your Personal Security

As we know by now, Heartbleed exploits a built-in feature of OpenSSL called heartbeat. When a computer accesses a website, the website will respond back to let the computer­ know that it is active and listening for requests, which is also called the heartbeat. This dangerous exploit should remind us all that we really need to be careful with the  passwords we use regularly for our most popular sites. It turns out that OpenSSL is used by hundreds of thousands of web servers all around the world across most of your favorite websites.

I would recommend using something like Evernote or Google Keep to make a list of all of your important websites and accounts. Some of the major websites that were affected by Heartbleed include; Facebook, Instagram, Tumblr, Yahoo, Yahoo Mail, Netflix, Dropbox, Flickr, and many more. If you are like me, you use at least one of these services. If you can’t remember which sites you have visited, you can always look at the History on your browser to remind you.

Once you have made a list of your favorite websites, it is a good idea to check which of these websites have been affected by Heartbleed by using one of the many Heartbleed checkers out there. My personal favorite is Chromebleed which is actually a Chrome extension. If you don’t use Chrome and Chrome extensions, then this Heartbleed test is a good checker as well.

Now that you know which of you favorite websites are affected with Heartbleed, go ahead and change your passwords.  I do not recommend using the same password for all your favorite websites. Check out our previous post on password tips for more suggestions. I know this seems convenient but it is definitely not a secure approach. Instead, use something like Dashlane or LastPass to create and manage complex passwords across all your devices. My personal favorite is Dashlane.

10 Apr 2014

Ahead of the Game in the Aftermath of the OpenSSL Fiasco

heartbleed

One of my favorite quotes from the movie Spy Game, starring Robert Redford, goes like this:

“When did Noah build the ark? Before the rain.”

A valuable lesson to learn from the aftermath of Heartbleed is that, in spite of FIPS 140-2 certification, security libraries such as OpenSSL are software built by people who make mistakes.

A sensible safeguard for SSL to limit the potential damage caused by zero-day vulnerability such as Heartbleed is Perfect Forward Secrecy (PFS), which is designed to prevent the compromise of the SSL private key from affecting the confidentiality of past communications. The Electronic Frontier Foundation recently illustrated more technical details on why PFS is so important.

While very few websites enabled PFS prior to Heartbleed, Echoworx did for all of our secure websites a long time ago.  In my opinion, it should be a basic requirement for all secure websites from now on.

After the rain starts, it is too late.