Monday, 14 April 2014

Heartbleed and a warning from history

The OpenSSL Heartbleed vulnerability has caused a lot of confusion by the press and by companies racing to release information and advice. Due to the nature of my job I have been asked by family, friends and acquaintances on what to do.

What you should NOT do, is use the tools that are on the web and test service providers for the vulnerability, doing so WITHOUT PERMISSION is illegal in the UK and other countries around the world.

Lesson from history


On the 6th Oct 2005 Daniel James Cuthbert was convicted of breaking Section 1 of the Computer Misuse Act of 1990 by hacking into a tsunami appeal website 2004 New Year's Eve. Cuthbert, told the Magistrates Court yesterday that he had made a donation on the site, but when he received no final thank-you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check its security. This action set off an Intruder Detection System in a BT server room and the telco contacted the police. This lead to him being arrested, prosecuted and losing his job and having difficult to getting a job due to a criminal history.

Testing for Heartbleed without permission could lead to you being in the same position

What you should do


The sensible approach for an individual is to respond to your service provider, whether it is online banking or an ISP, advice. They will advice if they have been affected and not all where, and if they were affected there will advise on when they have patched their services and whether you need to change your passwords. If you use different passwords on different services only changes those have been requested to.

Be Aware of Phishing emails


Only respond to communication from your service provider, double check advice by going to their web page by typing the URL and not following links in the email.

For companies the advice is to check if you used the affected versions of OpenSSL and patch. Their are a lot of legitimate scanning tools and testing companies that can test for the vulnerability and confirm remediation. Afterwards you may need to get clients to change passwords and change your SSL certificates.



No comments:

Post a Comment