|
4 days ago, news of the Heartbleed bug hit the news. An ongoing dramatic and sometimes confusing flurry of articles and announcements have followed. We hope this helps you make sense of it:
Q - What is Heartbleed?
A - A latent flaw in the encryption algorithm which protects many online mail ,and web accounts ... even if you see the nice closed padlock icon in your browser. So .. banking, ecommerce, dating sites, *password manager sites*, even the encryption used in file and server backup systems. Nifty, eh? Google, Yahoo, Facebook are among the affected web sites who have already patched the problem.
Q - What other software or hardware may be affected?
A - A pretty long and ever-changing list - see below. Note ANDROID phones & tablets are vulnerable. Your cellular carrier will need to update those remotely.
Q - How long has this existed?
A - Its been undetected for more than 2 years.
Q - Are all web sessions with the closed padlock icon compromised?
A - No - only those which rely on a variant if SSL/TLS called OpenSSL. Its pretty commonly used.
Q - How does it work?
A - This bug creates a crack or opening in the SSL/TLS layer so that interlopers can grab the keys to decipher your encrypted data - without anyone's knowledge.
Q - What should I do?
A - Mostly nothing, yet. While changing your passwords frequently is a good idea, especially on sites that contain sensitive information or could be used for identity theft, the reality is that until vendors and site hosts finish patching up the loopholes, changing your PW isn't a permanent solution because ... information including PW and sensitive personal info could get stolen all over again.
Q - How will I know when?
A - Responsible affected vendors and web hosts will alert you when its a safe and useful time to change your PW. Of course, you can change it now AND change it again a bit later. Its likely you'll get separate notifications from multiple web hosts at different times - so stay alert for such messages.
One more thing: don't click on links in emails about this topic without first being sure they are not malware themselves ... there's bound to be a bunch of that going on, too.
Q - What about Cisco, Fortinet, and Juniper hardware vulnerability?
A - Some routing equipment made by these 3 vendors is also vulnerable. These vendors sell both routers and firewalls used in homes as well as those in businesses and by carriers. These may be more difficult to fix - especially if they are in your home.
The WSJ quoted cybersecurity researcher and cryptographer Bruce Schneier as saying "The upgrade path [for home users] is going to involve a trash can, a credit card, and a trip to Best Buy." He's probably right in that the cost of having an IT professional assess and update a $59 home router will dwarf replacing it - but its an eco-disaster, too.
If SynerTel manages your corporate IT (SynerTel Managed WorkPlace) , then we're applying patches to close the loophole on any managed device that uses OpenSSL in your world that we're made aware of. So far, the SynerTel standard technology "stack" (collection of systems) has not received any manufacturer bulletins. But we're watching hour by hour in case that changes.
Taking the worry out of your network!
| 
