TOPICS

Thursday, May 29, 2014

Internet Security – The Heartbleed SSL Bug

QUESTION
Last month I read about an Internet anomaly called the “Heartbleed.SSL bug.”
When I discussed this issue with our IT support staff, we were assured that the necessary precautions had been taken in-house to protect our financial applications and our network. 

However, they mentioned that we should take precautions outside of their purview and change our passwords on all our private email accounts, services and various websites that are popular today.

Is this really necessary? 

ANSWER
Yes! 


Heartbleed is a serious bug discovered across the Internet that has existed for almost two years. This flaw, found in the way secure SSL sites communicate, allows the possibility for hackers to capture passwords and even create fake sites that appear like the real ones. SSL stands for Secure Sockets Layer, and is a protocol for managing the security of a transmission on the Internet.

Many major sites such as Facebook, Google, Gmail, Yahoo, Twitter, Apple, GoDaddy, Netflix, YouTube and Dropbox have been affected. Most of them have since patched the flaw but your passwords need to now be changed in case they were stolen prior to the fix

A comprehensive list of the affected sites and their reactions has been compiled and can be found at this link:


This is not a virus that is spreading. There is no protection to install for your computer.

The only way to be safe is to change your passwords to any online site – and I mean all your passwords!

To increase your security even more, and prevent something like this from happening in the future, we encourage you to use a process called “two-step verification” whenever possible. Known as “Two-Step Authentication,” the protocol is used on many major sites, such as Gmail, LastPass, Yahoo! Mail, Facebook, Twitter, Dropbox, Evernote, and LinkedIn. An example of Two-Step Authorization, such as the one deployed at Gmail, utilizes a password and then a second code you enter. In turn, this prompts a text message code to be sent to your cell phone, and you respond to the logon prompt with the code that was just sent to you.

As I noted here in an earlier FAQ on Internet Security, remember that your personal computer is the gateway to information that someone else may want.

Kevin Origoni
Director/IT and Internet Security
Lenders Compliance Group