Mitigating Heartbleed (and Snowden)

First of all, it looks like Snowden will be getting an honorary doctorate from the University of Rostock in Germany — other honorary Rostock doctorate-holders include German president Gauck, who got his for opening up the Stasi files to the public. http://www.faz.net/aktuell/politik/inland/universitaet-rostock-snowden-soll-ehrendoktor-werden-12888538.html (German, robo translate, etc)

Now, for those of you who run web servers, there’s a simple way to check if you’re (still) vulnerable to the Heartbleed bug: http://filippo.io/Heartbleed/

There’s also a Python script if you don’t want to add your site to some dude’s global register of Heartbeat victims. Find it here: http://s3.jspenguin.org/ssltest.py

Here is the short version of what to do about the problem:

“Once you have updated to the most recent version [of OpenSSL] you must then regenerate your private key(s) and SSL certificate(s). We would also recommend resetting all passwords for usernames that were used during the timeframe that you were vulnerable.”

DURING THE TIMEFRAME THAT YOU WERE VULNERABLE… that’s a long time, probably.

Why is this important? According to Arstechnica, the Heartbleed hole was being actively exploited for months before it was known to the public.

So, you may already be pwned!

(probably a good idea to go check.)

[1] http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/

http://www.net-security.org/secworld.php?id=16661

Advertisements
%d bloggers like this: