Jason

What is Heartbleed Virus? How to protect against it?

12 posts in this topic

Just received this notification this morning from Drivepop.com.  Aside from courtesy being spelled incorrectly, it's a big vague as to just exactly what Heartbleed, the severity, etc.

 

A curtosy notice about the Heartbleed virus and how it affects your DrivePop account.

A significant flaw named the “Heartbleed Bug” has been discovered and poses a large security threat to the internet as a whole. The Heartbleed bug is present in the software library OpenSSL which is used by many websites to privately send data to and from an internet server.

The DrivePop website, Livedrive subdomain servers, and the drivepop.com & livedrive.com SSL certificate end points were not vulnerable to the Heartbleed bug when it was publicly disclosed on April 7th 2014.

Any secure communication with our servers, such as logging into the members area, would not be affected by any attacks following the public disclosure of the Heartbleed bug.

The Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet. It is for that reason that we are encouraging our customers to reset their member area passwords at their earliest convenience as a matter of common password maintenance. Please remember to always make your passwords unique, random, and periodically rotate them. We also encourage you to change your password, on any others that you use, as many services throughout the world have been affected.

 

Share this post


Link to post
Share on other sites

I'm not sure why drivepop.com would ask you to change your password if their servers aren't vulnerable.

 

Basically, Heartbleed exploits a vulnerability in OpenSSL, which is the protocol that handles the HTTPS connections. Some people are claiming that as many as 2/3 or the web servers on the Internet could be affected. Using this exploit, it would be possible for 3rd parties to intercept the communication between a client and a web server and thereby find out login IDs and passwords. Here's a quote from heartbleed.com:

 

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Share this post


Link to post
Share on other sites

This is scary stuff. Have they given any indication how long this vulnerability has existed? Or what validated it?

Share this post


Link to post
Share on other sites

At least 2 years. I believe the US 3-letter agencies have known about it for some time, and have been exploiting it for "national security purposes".

Share this post


Link to post
Share on other sites

The Heartbleed bug affects OpenSSL (v1.0.1 through 1.0.1f).

That means unless you've installed and configured something that uses it on your server, Windows Server is unaffected by it.

This is because the built in web server (IIS) does not use OpenSSL at all. It uses a proprietary implementation of SSL/TLS/etc that isn't affected by the bug.

 

 

As for how long this has been an issue? 1.0.1 has been out since March 2012. So.... a while. But that's only with installations that include the heartbeat module/library. (included by default, though, IIRC)

https://www.openssl.org/news/

Share this post


Link to post
Share on other sites

Since signed up for Lastpass. Used to use 1Password for Mac. LP is best invention to come along in quite some time.

Share this post


Link to post
Share on other sites

LastPass is great. If you buy the Premium version (which is only $1/mo) you can then add YubiKey 2nd Factor Authentication to the mix http://www.yubico.com/products/. YubiKey gives you one-time password protection to your ordinary logins.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now