Heartbleed – You MUST take action!

Written by Cornelius J. van Dyk on . Posted in Blog

What is Heartbleed?

If you haven’t heard of the Heartbleed (CVE-2014-0160) bug in the OpenSSL library, it’s time to pay attention!  I’m not going to regurgitate already available information here, but I’ll provide some pointers for you to get more of said information.  There’s a good explanation of the bug located here.  If you think it isn’t serious, consider the fact that services such as Google, Facebook and YouTube were affected while at the same time, hardware manufacturers did not escape scott free either.  Cisco published a security advisory here noting affected equipment as well as equipment being investigated for the vulnerability.

What do I need to do?

Here’s a non exhaustive list of things to do in order to address this:

  1. Make a list of services you use.  CNet maintains a page with a list of the top 100 US sites which should give you a good starting point.  If you are not using a password manager such as RoboForm, now might be a good time to consider starting to use one.  I personally use RoboForm and because I do, all my services are within easy reach.  It makes the creation of this list automatic and more importantly, it will have services on your list that you may forget about because you don’t use them on a daily basis.  Remember, this bug has been around for 2 years!!!  Any vulnerable service you accessed over the past two years could have resulted in your security passwords being stolen.
  2. Once you have the list, check each of the services for the vulnerability.  There are several checkers out there like this one from LastPass.  Personally, I like this one published by Filippo Valsorta.
  3. Once your service site clears the check, change your password.  It’s important NOT to change your password until the service provider has both patched their software AND updated their SSL certificates.  Changing your password before both of these are done, would still leave you vulnerable.
  4. DO NOT access any vulnerable services until they’ve been patched and are secure again.  The very first login to a previously vulnerable service should be to change your password.  Once changed, logoff completely and then log back onto the service using the new password.  For an extra measure of security I would recommend doing it in Incognito or InPrivate mode in your browser, closing the browser between logons.
  5. If you’re responsible for hardware, be it at home or at work, do research to see if your hardware such as routers are affected.  If your hardware is affected, patch it!  If no patch is available, pull the hardware and replace it with something that isn’t vulnerable.

It’s important to realize that it’s going to take time to patch all the services, especially smaller sites, and that continued use of these services will remain risky unless they’ve been properly secured.

Well what are you waiting for???!!!  Get started!!!  (And you thought you’re going to be doing this and that over the weekend… 😕  )



Tags: ,

Cornelius J. van Dyk

Born and raised in South Africa during the 70's I got my start in computers when a game on my Sinclair ZX Spectrum crashed, revealing it's BASIC source code. The ZX had a whopping 48K of memory which was considered to be a lot in the Commodore Vic20 era, but more importantly, it had BASIC built into the soft touch keyboard. Teaching myself to program, I coded my first commercial program at age 15.

After graduating high school at 17, I joined the South African Air Force, graduating the Academy and becoming a Pilot with the rank of First Lieutenant by age 20. After serving my country for six years, I made my way back into computer software.

Continuing my education, I graduated Suma Cum Laude from the Computer Training Institute before joining First National Bank where my work won the Smithsonian Award for Technological Innovation in the field of Banking and Insurance. Soon I met Will Coleman from Amdahl SA, who introduced me to a little known programming language named Huron/ObjectStar. As fate would have it, this unknown language and Y2K brought me to the USA in 1998.

I got involved with SharePoint after playing around with the Beta for SharePoint Portal Server 2003. Leaving my career at Rexnord to become a consultant in 2004, I was first awarded the Microsoft Most Valuable Professional Award for SharePoint in 2005, becoming only the 9th MVP for WSS at the time. I fulfilled a life long dream by pledging allegiance to the Flag as a US citizen in 2006. I met the love of my life and became a private consultant in 2008. I was honored to receive my ninth MVP award for SharePoint Server in 2013.

Leave a comment

You must be logged in to post a comment.