I cannot find any posts on British Filipino about this but given that so many members have an interest in such matters I thought I would have a go at writing this. The HeartBleed Bug is a very serious flaw identified in OPEN SSL which means your password to internet sites could have been intercepted despite the encrypted SLL connection. The flaw has existed for two years but was only announced on 7 April (yes 7th, not the 1st) It is believed that many major websites could have been hit by this bug, including Google, Gmail, Yahoo, Facebook and others, but there is conflicting information on whether the bug really caused a risk on these sites or, indeed, if criminals have even exploited this now proven flaw, since exploitation of the flaw is impossible to detect. Many websites that have a theoretical risk have updated their servers so the bug no longer exists and also updated their security certificates as even with servers free of the bug, it would have still been possible to decode future SSL communications if the security certificates were not updated as well. Although Yahoo has updated its servers and security certificates in the last three days, Google has only updated its servers and not the security certificates. This may be because it has, since the NSA revelations by Snowden, been using Perfect Forward Secrecy (PFS) which means that each new SLL connection uses new encryption keys. Without PFS, every SSL connection to a server uses the same encryption key until a new security certificate is issued. However, the general consensus is that you should change passwords on those sites that had been vulnerable to the HeartBleed Bug, but only after the bug has been removed by updating the OPEN SLL software. How can you test websites for the HeartBleed Bug. Well, a number of websites have tools for testing this and this is just one of them: https://lastpass.com/heartbleed/ If you have a Lastpass account where you have stored your passwords for auto logon to websites, you can do even better. Just choose the security check in the tools menu after clicking the Lastpass icon or log into the Lastpass website and select Security check on the LHS. It will check all websites in your lastpass account and inform you of the Heartbleed status of each and every one and advise you what action to take. If you have an Android device, you may want to install the following App to check that you don't have a vulnerable OS: https://play.google.com/store/apps/details?id=com.lookout.heartbleeddetector. The following Android app also checks for vulnerable apps: https://play.google.com/store/apps/details?id=com.bblabs.heartbleedscanner
Hi Howerd, as you say no one mentioned it here so I'm guessing they never thought it was worthy to note or had no dealings with the issue. From my perspective, we host a Windows 2012 server in our DMZ running a super lightweight web server called Abyss. Abyss requires minimal management and is a very simplistic installation in comparison to IIS. Abyss runs OpenSSL, unfortunately the latest version of Abyss had a version of OpenSSL that had the heartbleed bug. Aprelium are releasing a new version of said web server but I haven't seen it yet but all was not lost. The Windows version had an easy fix which was to replace the current versions of two dll's, those being, libeay32.dll and ssleay32.dll with the latest release. Service restarted and voila, server resolved. The worrying thing about the bug was that nothing was traceable hence whatever has currently been compromised, we will never know. So a request for customers to renew passwords is good practice. <EDIT> Oh I didn't mention, when I put the server live, I guess 6 or 7 years ago, I decided then, that all communications would go through port 443 and nothing through port 80, regardless of what was passing through. Something that the big names (eg Google, FB etc) have adopted quite recently, I guess due in part to Edward Snowden's revelations. There are a few services for confirming a web sites compliance of the bug, or not. Some were not reliable, not sure why but I found the one provided by my SSL certificate provider to be reliable. https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
Just arrested a 19 year old Canadian regarding the bug, more to follow apparently; http://www.bbc.co.uk/news/technology-27058143
Interestingly (for me at least) is this article. We hear about security vulnerabilities all the time, we then usually leave it to the way-side in the knowledge that some geeky team of developers will sort all our worries out. So, here is an explanation of the actual vulnerability http://i-programmer.info/news/149/7168.html A buffer overrun is a common exploitation technique (seemed like a weekly event in early IE releases), again something I hadn't really given much thought to but the article reads well.
