Heartbleed Bug [UPDATED]

posted Apr 10, 2014, 10:30 AM by Shawn Kohrman   [ updated Apr 10, 2014, 11:51 AM ]
You may have read in the news about a web security flaw known as the ‘Heartbleed’ bug. Heartbleed affects the encryption technology designed to protect online activities such as commercial emailing, banking, and online shopping. It only affects websites that use OpenSSL.
 
We would like to inform the APU Community that IMT is aware of the Heartbleed bug and has been actively scanning and updating our servers, where appropriate, to address any vulnerabilities.
 
The good news is that a very small percentage of our servers use OpenSSL and we have determined that GMail and Google Apps are not affected by Heartbleed.
 
We continue to ensure the University’s data is protected and we will keep the community updated.

How to protect yourself from the "Heartbleed" security bug

Change your online passwords -- all of them

"I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software.

And follow these guidelines for choosing secure passwords. Don't use common words or a string of consecutive numbers. Experts recommend passwords be at least eight characters long, using a combination of letters, numbers and symbols. Avoid using the same user name and password for multiple sites.

Make sure Web services you use have updated their security

Changing your passwords won't do any good, experts explained, until the affected Web services install software to fix the problem. They would then need to alert their users to the potential risks, and let them know when the Heartbleed fix has been installed so they can change their passwords.

Fortunately, "many of the biggest and most important services have already been patched and fixed," Mandiant Security senior consultant William Ballenthin tells CBS News. "I've already received notices from Google and Amazon and Yahoo that they identified the issue last week and they've already fixed it."

CNET advises Web users to check the security of individual sites here, though it warns that caution is still warranted even if the site has an "all clear" indication. If you're given a red flag, avoid the site for now.

Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services reportedly compromised by Heartbleed. Yahoo says most of its most popular services -- including sports, finance and Tumblr -- has been fixed, but work was still being done on other products that it didn't identify in a statement Tuesday.

"We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data," Yahoo said.

CNET reports that other major Web services, including Facebook, Google and Twitter, did not appear to be compromised -- but as Chartier points out, it's hard to know for sure.

Keep an eye on your credit card statements
Just in case your data was breached, check your financial statements and report any suspicious activity to your credit card company.

Be cautious of smaller Web sites

Despite the worries raised by the Heartbleed bug, Codenomicon said many large consumer sites aren't likely to be affected because of their "conservative choice" of equipment and software. "Ironically, smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm said in a blog post.

Although it may take months for smaller sites to install the Heartbleed fix, Chartier predicts all the major Internet services will act quickly to protect their reputations.

In the meantime, Ballenthin says, there's no need to panic. "I think really you just need to be aware that the issue's out there, and when [a Web site] asks you to reset your password, or change some settings, go ahead and do it as soon as you can." 
 
If you have any questions, please don’t hesitate to contact the Support Desk.

Tool To See if a Website is Safe


References
http://heartbleed.com/
http://www.cbsnews.com/news/how-to-protect-yourself-from-the-heartbleed-security-bug/
http://www.engadget.com/2014/04/09/google-heartbleed-patch-info/
Comments