Symantec investigating the OpenSSL vulnerability, dubbed Heartbleed

Symantec is aware of and currently investigating the OpenSSL vulnerability, dubbed Heartbleed -- which allows attackers to read the memory of the systems using vulnerable versions of OpenSSL software. This may disclose the secret keys, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed including names and passwords of the users or other data stored in memory by the service.

Here is what Symantec recommends:

Advice for businesses: 
• Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.
• After moving to a fixed version of OpenSSL, if you believe your web server certificates may have been compromised or stolen as a result of exploitation, contact the certificate authority for a replacement.
 • Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.

Advice for consumers: 
• You should be aware that your data could have been seen by a third party if you used a vulnerable service provider.
 • Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so.
 • Avoid potential phishing emails from attackers asking you to update your password -- to avoid going to an impersonated website, stick with the official site domain.
 • Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability.
 • Monitor your bank and credit card statements to check for any unusual transactions.

For more information, visit: http://www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers



Post a Comment