Thanks to the Heartbleed exploit announced earlier this week we basically need to change all our passwords for everything. Here's some detail from Bruce Schneier:

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Half a million sites are vulnerable, including my own. Test your vulnerability here.

The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.

I strongly recommend creating a new unique password for each of your accounts. Yes, this is a headache, but LastPass will make it a lot easier.

0 TrackBacks

Listed below are links to blogs that reference this entry: Heartbleed: Change All Your Passwords to Everything.

TrackBack URL for this entry: http://www.mwilliams.info/mt5/tb-confess.cgi/8474

Comments

Supporters

Email blogmasterofnoneATgmailDOTcom for text link and key word rates.

Site Info

Support