In today’s segment, we talk about the long term effects of the HeartBleed incident and acknowledge the highest frequently attacked applications: web apps and point of sales systems.
As many of you are already well aware of there has been a serious flaw in OpenSSL that is a foundational open source library used for SSL encryption. There are plenty of places to get more information but if you haven’t at least read http://heartbleed.com/ you can start there.
We all have accounts at a lot of different places some more critical than others (salesforce, expensify,home banking etc). I would highly recommend that you take the time today to take measure of the passwords you use and where you use them. If you have a yahoo password that is shared among many accounts better safe to assume this has been breached.
I for one have been systematically changing my passwords and recommending friends and family to do the same. The unfortunate thing about this attack is that it has been around for years and there is already evidence that it has been active in the underground before the public release. With this in hand, I would highly recommend you change your passwords today (and for the truly paranoid it is always a good idea to rotate passwords, I rotate mine for critical sites every 90 days).
There are plenty of password locker applications available for those of you that don’t have a scheme for remembering passwords (and I am sure nobody uses the same password at multiple sites) and if using a mac keychain works great, but I also use pwSafe for my iPhone and iPad.
– Ryan Berg
The HeartBleed bug is running rampant on many major sites such as Chase and Yahoo while people are scrambling madly to find solutions. At the SOURCE Boston Conference this morning, I caught up with Melissa Elliot from VeraCode as she was examining the impact of the HeartBleed on Yahoo, using software from Jared Staffer of JSPenguin.org. I asked her to describe what she was seeing. Have a listen…
About Melissa Elliot
I am 0xabad1dea (the zero-x is silent), a professional application security researcher also known as Melissa Elliott. If my name breaks your website we have a personal problem. My long-term goal is to convince programmers that the security of everything from the global economy all the way up to online Pokémon battles is in their hands and they need to take that responsibility seriously. My primary means of interacting with the community is through my extremely active Twitter account.
For three days this week I am at the SOURCE Conference in Boston covering the sessions, meeting with the vendors and most importantly talking with people in the hallways about what they are working on.
I just had an interesting discussion with Melissa Elliot, who is tracking how much data is leaking out of Yahoo on the open WiFi here at the conference. She’s agreed to an audio interview later today, so you’ll want to listen in on that one.
Keynotes at the conference include:
Of special interest to me is the “Wait wait, don’t pwn me!” session moderated by with boB Rudis (and yes, before you ask, that’s boB, with a lower case ‘b’). I’m sure there’s much more to come.
UPDATE: I just spoke with Melissa Elliot, @0xabad1dea, from VeraCode, on the HeartBleed attack on Yahoo. Audio interview will be up within the hour.