April 10th: Regarding the Heartbleed Bug. A vulnerability has been uncovered in all versions of OpenSSL, which is the encryption software protecting nearly all ecommerce on the Internet. Apparently, this bug has existed since December 31, 2011, and has allowed attackers to view private encrypted data on effected websites. Most virus warnings you read on the Internet are re-hashed hoaxes, but it appears this one is for real.
OpenSSL is open source software. Open source is usually immune, or nearly so, to these kind of vulnerabilities. The reason for this is because, since the source code is open and available for anyone to see, flaws such as this usually come to light quickly, and are fixed. The fact that this vulnerability has existed for more than two years leads me to believe it was most likely engineered by people in the U.S. government (NSA), and that these same people have been the primary attackers taking advantage of the bug.
The existence of the bug became known on April 7, three days ago. On the SAME DAY, the developers of OpenSSL released a patch which disables the bug, and stops the attackers dead in their tracks.
It is important to realize that this software is used by both Unix based, and Windows based servers, and that any server which is not upgraded with a patched version of OpenSSL will remain vulnerable. It is my understanding and belief that when vulnerabilities come to light, Windows based servers are usually vulnerable for a much longer period than Unix based servers-- first because Microsoft takes their sweet time about releasing security updates, and second, because (in my opinion) the administrators of Windows servers tend to be less diligent and/or less competent.
In any case, I want to caution all of our readers about this bug. Some servers may go unpatched for years! Users of large servers such as Yahoo, Facebook, Gmail, Amazon, etc., are the biggest targets. It is assumed they will all patch their servers promptly, if they have not done so already, but I advise you to do some checking to be sure, particularly if you use any financial services over the Internet. Experts are suggesting the average internet user wait a week or so for things to "shake out", before conducting business online.
To our Patrons: We thank you again for your support. Please rest assured that we patched our own servers moments after receiving notice of the bug. I have also personally verified that Paypal guarantees they have no vulnerabilites to this bug.
The important question to ask your vendors is this: What is the build date of the version of OpenSSL on your server? If the date is prior to April 7, 2014, do not conduct business with them until they upgrade.
Closely related to self-defense, this Board focuses in other aspects such as Communications, and Financial.
1 post • Page 1 of 1