[Update: April 9, 2014] – It seems even the Canadian Federal Government is vulnerable.. As we stated yesterday, we fully expect that the next few days will see some major announcements similar to this. The fallout from this very large vulnerability will continue for a long while to come.
http://www.cbc.ca/news/business/revenue-canada-shuts-website-to-head-off-heartbleed-bug-1.2603742
Original Article:
So today, is not a good day to be in the IT Security industry. OpenSSL, a massive player in the security of a large number of sites on the internet has a problem. A bug was discovered where effectively usernames and passwords that were thought to be secure and private, were not. There is a mad rush on to patch everything because the “fuse” on the bomb that is this bug has now been lit as its been patched and published.
Normally, this would be a bad thing in itself. This time it is different, very different.
This time not only are the passwords and usernames “compromised” but there is not even a single trace that they have been compromised, and sites and devices that are not patched will continue to be vulnerable, and the free for all to exploit this bug and use it has just begun..
Its like someone just looks at the key to your house, and makes a copy without you knowing.
Then the are invisible and have been in your house watching you sleep, you had no idea they were there. All your locks still worked and there was no sign anyone was in your house.
To make matters worse, not even the “police” or a “security expert” would be able to tell that someone was in your house, because they have a key and are completely invisible, and left no trace that they were there..
Perhaps they moved things in the shelf, or perhaps things went “missing” but you thought it was something else..
Oh, and they may have been doing it for the last two years.
Today someone showed every “bad person” how to make a “key” and do the same thing.
That is scary stuff. Very scary stuff.. because of the fact that most people “recycle” their passwords. They use the same password for their email, banking, Facebook, everything. Once someone has your email password, they get the rest by “forgot password” retrieval services. Our recommendation, change your passwords, and change them now. If you use Hotmail, Gmail, or anything else and have a mobile phone, add “mobile phone authentication”. Have a separate password for your email account that you use NOWHERE else, not a bank not anywhere that you NEVER give out to anyone. That password needs to have at least 1 upper case letter, one number, and at least two special characters (if possible)..
This recent issue shows that no matter how secure you think your information is, you are one “Heartbeat” away from compromise. If anyone, professional or otherwise, tells you that you can be 100% secure, 100% of the time then they don’t understand security. IT Security is about managing risk, and is ever changing. What is claimed to be 100% secure today, might give you a “Heart Attack” tomorrow..
If you want to read more check out:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
We will only know the real damage this has caused in the days that follow. Routers, websites, databases, phones, and operating systems will need to be patched to address the issue. Having the most up to date software and devices will fix this issue for your business. If you need help with that please contact us and we can help you through the process at reasonable rates.
Like and Follow us!