“An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook,” says this Mashable article.
This thing MUST be serious; it has its own domain – http://heartbleed.com/
On the consumer side
In short, take a look at the list of sites affected on the Mashable list, and run change your passwords now-now-now. It wouldn’t hurt to pay attention to your bank and credit card statements for the next, oh, forever, as this vulnerability “could have quietly exposed your sensitive account information …over the past two years“. Emphasis mine.
I’ve run right out and changed my Twitter, Dropbox, Pinterest, Gmail, YouTube, and half a dozen other passwords (now that the underlying systems are patched). Go thou, and do likewise.
In the IT sphere
Pingsense.com says “If you are running Linux and are using SSL could be affected by this issue and should upgrade to a fixed version as soon as possible.” OpenSSL.com reports “Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.”
There are some Amazon AWS Services vulnerabilities I want to draw your attention to them, in case your company has any Amazon AWS in the works (or any customers with Amazon AWS).
We at least don’t have to worry about Azure. “Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.” (Via MSDN.)
Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability. Windows’ implementation of SSL/TLS was also not impacted.
This is by no means a comprehensive list of the dangers and impacts of this virus. I will add to this article as I find out more information.
Feel free to copy this article for your own blog, publication, or press release, as long as you link back to this site. I’m all about the creative commons share-alike attribution!
Further reading
- NetCraft: Heartbleed certificate revocation tsunami yet to arrive
- MSDN: Information on Microsoft Azure and Heartbleed
- CNET: Which sites have patched the heartbleed bug
- PluralSight: What you need to know
- The Hacker News: How Heartbleed bug exposes your passwords to hackers
Thanks to @sqlagentman, Mashable.com and others for spreading the word.
– Jen McCown
