In the last few weeks there have been two security issues that are going to affect just about everyone. First is the Heartbleed  bug and now a security flaw with all versions of Internet Explorer(IE). For those just interested in knowing your best course of action you should:

1)      Change all your online passwords

  1. In addition you should check the websites that you visit before changing your password to make sure it has been patched. Click Heartbleed test to verify it has been patched. If not the bad guys will still be able to steal that information.

AND

2)      Use a different browser like Google’s Chrome or Mozzila’s Firefox

You should do BOTH. I know changing all your passwords is easier said than done.

The troubling thing is that both these issues appear to have been problems that no one but the wrong people (i.e. the bad guys) knew about for a long time. Let’s take a closer look at both:

Heartbleed Bug

When you go to a website to buy something and the pad lock shows up (meaning your using SSL over HTTP or HTTPS ) you think your safe right? Because everything is “encrypted” so no one can see it. The Heartbleed bug allows hackers to “see” some of this information if the website is using a certain version of SSL (OpenSSL). That means if you are shopping on a site and the padlock shows up and you put your credit card and user information in, IF the site is using that version of SSL hackers can “see” that information. About 2/3 of the sites on the Internet use this particular version. This affects two types of people: 1) Those that operate a website that uses OpenSSL (most shopping sites) and 2) People (like YOU and I) that go to those websites.

If you have website you need to first, determined if you are using OpenSSL and if so patch it and then comes the fun part. You need to go to your Certificate Authority and revoke your primary keys and have them reissued and distribute new ones. If you have a website you should talk to your web developer to make sure this happens.

If you use the web chances are you’ve gone to an exploited site and may have been compromised meaning someone may have your credit card information and User-ID and/or password. Now if you use the do-nothing-site.com and it was compromised who cares – unless you use the same user-id and/or password at another site. The trick is if you change your user-id and password BEFORE the site is fixed your User-ID and password can still get into the hands of the wrong people. Here is a tool you can use to enter in the sites address (URL) to see if the site is vulnerable or has been patched, Heartbleed test As always to be safe you should change your passwords frequently and avoid using the same password for every website. I know that’s easier said than done. Using a password manager may help but if some breaks into your password manager then they have ALL your passwords. We use a service that provides OTP (One Time Passwords) but some people think that it’s troublesome and not all places are setup for that. Call us if you have any questions about what you should do.

Internet Explorer Security Flaw

The flaw in Internet Explorer browser “may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer” that is kind of like getting the keys to the kingdom. They can take complete control of the system including installing programs and other malware and stealing information. The US Homeland Security’s Computer Emergency Readiness Team (CERT) has urged “users and administrators to enable Microsoft EMET (Enhanced Mitigation Experience Toolkit) where possible and consider using an alternative web browser until an official update is available” Note: The EMET “makes the vulnerability harder to exploit” the best course of action is to change browsers.

This affects Internet Explorer version 6 thru 11. Eventually they will patch this – but not for Windows XP as it is no longer supported. Just another reason to get off of Windows XP if you haven’t already done so.

If you have any questions about what to do or how to do it or need help with any of this please don’t hesitate to call us today.