View RSS Feed

KyleKlingler

What To Do About the Hertbleed Virus

Rating: 2 votes, 5.00 average.
Here is a better one for a blog entry. Feel free to make any edits.

Some photographers have an IT resource, some don't. If you have been on any news site doubtless you've seen something on the Heartbleed vulnerability. If you want details on the specifics of how it works heartbleed.com (I think it is funny that the site doesn't use SSL). The important item to remember (so far) is that the company that owns the server must take action, you can't fix whether they have Heartbleed or not.

Here are my top ten observations and suggestions.

1. Don't change your password yet. Give it another week or so and then start changing your passwords. The BIG sites like Google, Amazon, etc. have been updating their servers and they aren't out of the woods yet. This hole not only lets people get your info, they can also get the key to the server. So the big sites have to both update their software and their certificates, no easy task.

By the time you change your password you'll probably get another email saying to change it because they just finished fixing all the problems. So just wait for a bit and then change it.

2. So far it is as bad as they say. OpenSSL is like Windows on almost everyone's PC. If you have a PC likely if you have Windows. If you have a website that uses SSL you likely have OpenSSL. Thus far everyone is focused on fixing the servers, which is very important. That is where the malware will be a problem. Just like with any good strategy, you go to where you will find the most targets, in this case the servers... for now.

What is worse is that it appears as though some programs are impacted as well. OpenSSL can be an ingredient within a larger program. No one knows the full extent yet. The hackers are putting up code to break into stuff as fast as they can find more places that OpenSSL is being used.

3. Do you run your own site? Do you take payments? It gets complicated when you have a hosted site (think wordpress or somewhere you just FTP files) vs. a server (like AWS or Google) and then add the additional services on top of that for payments and other features. Check out any sites you own and that you use for services to verify they pass the test below.

4. If you are curious about a website, including your own, there are many tools out there. This is the easiest one I have found http://filippo.io/Heartbleed

If you want some geek-cred you can check out https://www.ssllabs.com/ they have multiple tools that will give you a grade on your SSL products.

5. Always update your Adobe products. Apps like Adobe Flash and Adobe Acrobat Reader are major malware platforms. They are the absolute worst. If your computer asks you to update always do it. I've only ever gotten two infections on my workstations and they both came from PDFs.

6. Did I mention always update your Adobe products? Always update your Adobe products.

7. If you are going to change your password, which you should do eventually, consider using a password locker so that you don't have to remember all of them. I use 1Password (https://agilebits.com/onepassword) but there are many others out there. This way you can make a new "strong" password without having to remember it. Security guys will tell you to have a different password for every site. I don't disagree, but not many people can remember that many passwords. There is no perfect solution so you just have to do the best you can.

8. Stop taking selfies. This is known to spread Heartbleed because stretching your arm too far from your face to take a picture of yourself can cause arterial damage.

9. Just kidding about the selfies. But not really. I hate it when I try to take one and my arm looks like it is attached to my ear or I have very bad posture. If you do need to take a selfie the WSJ has some pointers (http://online.wsj.com/news/articles/...90992373514040). Besides I needed some filler to make it to #10.

10. If your computer is still running Windows XP, upgrade to Windows 7. Support for XP just ended this week. If there is an issue in XP it won't be patched. If you can't upgrade, make sure your anti-virus software is updated.

If you are interested in reading what the geeks are saying, check out these links.
http://serverfault.com/questions/587...to-mitigate-it

http://security.stackexchange.com/qu...er/55087#55087

http://askubuntu.com/questions/44470...160-in-openssl

https://security.stackexchange.com/q...-to-heartbleed

Submit "What To Do About the Hertbleed Virus" to Facebook Submit "What To Do About the Hertbleed Virus" to Twitter Submit "What To Do About the Hertbleed Virus" to Google Submit "What To Do About the Hertbleed Virus" to Digg

Tags: None Add / Edit Tags
Categories
News From the Server Room , Guest Blogs

Comments