Results tagged “IT” from Kazza the Blank One

Working in a state office away from my team, and not following any news sites closely, I was out of the loop about Heartbleed until today.  Then I read about it.  And got scared.

xkcd summed it up - "Heartbleed must be the worst web security lapse ever.  .. Worst so far. Give us time."

Basically it's a vulnerability in SSL (used on https websites) which makes them essentially completely open to the web.  Any data you transmit to an affected site is NOT secure.  Anyone can read it.  And not only that, but if the affected server doesn't replace their SSL certificates/keys, they continue to be vulnerable, because the keys are out there.  And they never ever should be.  Yeah, really really messy.

Initial reports indicated that two thirds of SSL sites on the internet could be affected, but it seems to be smaller than that.  Big sites confirmed to be affected included Yahoo, Flickr, Imgur, ok cupid.  From what I've seen so far, local banking sites, ebay and paypal aren't currently affected, buy they may have been in the past, or even yesterday.  I haven't seen many .au sites come up, although I did see vic.gov.au come up.

General advice is: change all your passwords on affected sites that you've accessed recently (the vulnerability is two years old, but there doesn't seem to be any evidence that it was in the wild until the past couple of days.. although having said that, it doesn't show up in logs so it's possible people have been collecting stuff very quietly).  And then change them again after the certificate has been fixed.  

There's a couple of test sites around - eg http://filippo.io/Heartbleed/ and https://www.ssllabs.com/ssltest/index.html

Fortunately none of our public facing websites at work are affected, so that's a relief!

Cyber Rage

| | Comments (0)
A couple of stories that fill me with dread...

  • The ammendments to UK laws would could see the tools used by "white hat" ethical hackers outlawed..
  • The Texas law which could put legitimate computer security companies out of work..
The people writing these laws obviously don't get that crackers don't abide by laws like this, and all it's going to do is make it harder for IT professionals to maintain the security of their networks.

Both things were discussed at the SANS panel tonight. 
Kazza's "Boring Life Of a Geek" aka BLOG

IT geek, originally from Sydney, moved to Canberra in 2007. Married to "the sweetie", aka Stu. Prolific photographer, Lego junkie and tropical fish keeper.

Kazza the Blank One home