posted Apr 13, 2014, 5:33 PM by Unknown user
updated Apr 13, 2014, 5:34 PM
I am sure by now you have heard of a nasty little critter affecting websites around the globe called "Heartbleed." Because of the potential security threat and compromise of your credentials or other important information, I thought it would be wise to provide some understanding for you. The following information is NOT original with me but was received from a trusted and reputable source.
What is Heartbleed?
Heartbleed is a problem in OpenSSL, a software library that is used by most websites to secure your communication using SSL. It provides the S in HTTPS, or if you prefer, it’s what’s responsible for the padlock icon in your browser’s URL bar while browsing the web.
Normally when browsing a site using SSL, you can trust that the information you send to the website can only be seen by the website itself. This keeps your private information, such as credit cards, usernames, and passwords, secure.
The Heartbleed exploit enables attackers to bypass the protections provided by SSL. This means any information you sent to a website that relied on vulnerable versions of OpenSSL could potentially already be in the hands of the bad guys.
What should be your Response? Update Your Passwords...
The knee jerk reaction to this news is to change all your passwords immediately. While I will do recommend you change your passwords, not all websites have been updated yet to protect against this vulnerability.
So, the best advice I can give you is to change your most important website passwords immediately, including your email, bank accounts, and other high value targets. This will provide your best defense against previous attacks.
After a few weeks, websites will have been upgraded with new SSL certificates, and you will be able to trust SSL again. At this point you should change all of your passwords again.
While I know that it is extremely inconvenient to change your passwords and then have to remember new ones, Heartbleed is a very real and very serious threat so I hope you will take the time needed to update your passwords.
Steps to take...
You should first note that not all web sites were affected by Heartbleed. You should also note that of those affected, not all have fixed the situation yet but most are in the process of doing so. Faith Academy Information Technology Services recommends that you take intentional yet cautious approach.
Check sites you are concerned about. There are a couple ways to do this:
- Visit this page and check to see if the site was affected and what is recommended. If you don't see your site on this link...
- Visit this page and check to see if the site is vulnerable. If you still don't find your site...
- Visit this page. Enter your domain name and click GO. This site will test the system right now for the vulnerability.
For sites that were affected but not yet patched...
- If you use this site on a daily / weekly basis, consider changing your password. Note however, that if the system has not been fixed/patched, changing your password may allow someone who is watching that server/system to gain knowledge of your credentials and information. If you do change your password, you should continue to monitor the status of this server/system. Once it is patched, you should immediately change the password again.
- If you use this site more infrequently and have NOT signed into it for more than 2 weeks, simply be patient. First, your credentials and information may not even be at risk, as this vulnerability has just been identified. Monitor the server/system. Once it is patched, it is recommended that you change your password, just to be on the safe side.
For sites that were affected and have been patched...
- If you use this site on a daily/weekly basis, you should immediately change the password.
- If you use this site more infrequently and have NOT signed into it for more than 2 weeks, consider: First, your credentials and information may not even be at risk, as this vulnerability has just been identified. Since it has been patched, you may not need to take any action; but it is recommended that you change your password, just to be on the safe side.
Google has indicated that some of its service were indeed affected, including Gmail. While they have indicated that users do not need to change their password, the do recommend changing your password just to be better safe than sorry. Therefore, Faith Academy Information Technology Services encourages everyone at Faith to change your Google Apps (Gmail) account password as soon as possible to prevent the loss of information. While we are not mandating this change, we are strongly encouraging it.
If you have any questions, please contact the FITSquad.