Here is a roundup of the easiest to understand information about the heartbleed vulnerability, read these and you should have a pretty fair idea of the lay of the land.
I have told many of you before but best practice recommendation is NOT TO DUPLICATE PASSWORDS each service should have a unique, strong password that won't fall over domino fashion if there is a breach like this one, and the Adobe one a year or so ago and the Sony PlayStation one before that. How do you manage all these passwords?, well see below the info on lastpass.com. Its free on the PC and minimal cost if you want the multiplatform apps. This is important, consider yourself warned.
From: http://www.pcauthority.com.au/News/382247,heartbleed-memory-bug-leaks-encrypted-data.aspx
Researchers have warned of a serious security bug in OpenSSL that allows encrypted data to be stolen. OpenSSL is an open-source library of SSL/TLS encryption - the transport layer security protocols by which email, IM, and some VPNs are kept secure online.
A bug dubbed "Heartbleed" lets anyone read the memory of systems using vulnerable versions of OpenSSL software, researchers from Codenomicon have revealed. "This compromises the secret keys used to identify service providers and to encrypt the traffic, the names and passwords of the users and the actual content," the researchers wrote on a website dedicated to the security bug. "This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."...
Information on Office 365 and Heartbleed: Microsoft Account, Microsoft Azure, Office 365, Yammer, Skype, along with most Microsoft Services, are not impacted by the OpenSSL "Heartbleed" vulnerability. [The] Windows' implementation of SSL/TLS is also not impacted. A few Services continue to be reviewed and updated with further protections.
From: http://www.theage.com.au/it-pro/security-it/heartbleed-security-bug-what-can-you-do-20140411-zqtff.html
...that chunk of data might include usernames and passwords, reusable browser cookies, or even the site administrator's credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.
For this reason, I believe it is a good idea for internet users to consider changing passwords at least at sites they visited since this bug became public (Monday morning). But it's important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords.
From: http://www.pcauthority.com.au/News/382523,heartbleed-dont-change-all-your-passwords.aspx
Security experts warn that changing all your internet passwords now could do more harm than good
Security experts are warning users to ignore advice to change all of their internet passwords in the wake of the Heartbleed compromise.
From: http://www.zdnet.com/worried-about-heartbleed-lastpass-security-check-has-you-covered-7000028367/
LastPass has updated its built-in Security Check so that you can now easily see which sites require you to update your passwords to be safe from possible Heartbleed attacks [and which to wait until they have sorted out their own SSL security first]....
Example screenshot:
Lastpass: https://lastpass.com/
digitalwelcomemat now has a blog!
Subscribe for the news as it happens, call me for support on 0404 493 770 or access my remote support solution here: http://help.digitalwelcomemat.com/
Digitalwelcomemat provides IT consultancy and services for business customers on the NSW Central Coast in Australia.
Give me a call: 0404 493770