Oregon Computer Solutions' Alert

April 11, 2014
Steve Shank
Keeping clients' computers safe and profitable for over 25 years
Because of the seriousness and the panic surrounding this vulnerability, I've decided to send out an emergency alert to my email newsletter clients regarding the Heartbleed vulnerability.

Heartbleed Vulnerability. What is it? What to do?

What is it?

A very commonly used secure connection protocol has had a flaw for years that was recently discovered and made public. The flaw allows a miscreant to jump into the server using that protocol and capture about 25 pages of information. They can keep jumping in and grabbing lots of 25 page clumps.

So what?

If your email and password was in one of those clumps, then they have your login credentials. Also, if the certificate code that verifies that the host is in the clump, then they can impersonate the host server.

Why is it so bad?

On Monday the exploit was made public. Before that, major players like Google and Yahoo didn't even know about it. Normally, the flaws are revealed to the people who can fix them before being made public, so there is time to fix it. This time, the miscreants found out about it at the same time as the server hosts. Later on Monday, the code was posted so that any miscreant could search for servers with the vulnerability and exploit it before the legitimate players had time to patch it.

What to do?

The Biggest danger

We will need to change some passwords and do some other things, but the biggest problem will probably come from the panic and miscreants taking advantage of the panic. I expect a deluge of miscreant attacks on scared users:

Be paranoid. Be really really paranoid about these kinds of solicitations.

Who is vulnerable, A Short list for my clients: Change your passwords on these sites

Who is not vulnerable, A short list for my clients: You don't need to change these passwords

Good Lists of sites vulnerable and not:

Test Sites

You can enter a domain and get results regarding its current and past vulnerability

Checking your browser

Because the Site SSL certificates could have been compromised, it is potentially possible that a villainous site could impersonate your vendor's credentials and fool you if they could get you onto their site. So, virtually everyone of them is revoking their current credentials and getting new ones. But this is only helpful if your browser checks. Here is how to make sure Firefox and Chrome check:

Options/ Advanced/ Certificates/ Validation - Make sure Use online Certificate Status ... is checked