Results tagged “IT” from Kazza the Blank One
Working in a state office away from my team, and not following any news sites closely, I was out of the loop about Heartbleed until today. Then I read about it. And got scared.
xkcd summed it up - "Heartbleed must be the worst web security lapse ever. .. Worst so far. Give us time."
Basically it's a vulnerability in SSL (used on https websites) which makes them essentially completely open to the web. Any data you transmit to an affected site is NOT secure. Anyone can read it. And not only that, but if the affected server doesn't replace their SSL certificates/keys, they continue to be vulnerable, because the keys are out there. And they never ever should be. Yeah, really really messy.
Initial reports indicated that two thirds of SSL sites on the internet could be affected, but it seems to be smaller than that. Big sites confirmed to be affected included Yahoo, Flickr, Imgur, ok cupid. From what I've seen so far, local banking sites, ebay and paypal aren't currently affected, buy they may have been in the past, or even yesterday. I haven't seen many .au sites come up, although I did see vic.gov.au come up.
General advice is: change all your passwords on affected sites that you've accessed recently (the vulnerability is two years old, but there doesn't seem to be any evidence that it was in the wild until the past couple of days.. although having said that, it doesn't show up in logs so it's possible people have been collecting stuff very quietly). And then change them again after the certificate has been fixed.
Fortunately none of our public facing websites at work are affected, so that's a relief!
- The ammendments to UK laws would could see the tools used by "white hat" ethical hackers outlawed..
- The Texas law which could put legitimate computer security companies out of work..
Both things were discussed at the SANS panel tonight.