Heartbleed’s Scope Grows Larger

HeartbleedMany IT people, ourselves included were greeted this morning with notices from various vendors that have products using the affected OpenSSL libraries. Fortunately, most of these notifications were to state that patches are available for the vulnerability and recommendations to rebuild certificate pools are laid out in detail. We have been using Watchguard firewall appliances for many years and were pleased with the speedy response of their development teams, despite the sudden surprise workload this generated as we patched up our clients with newer (only firmware 11.8 was affected) equipment. Most vendors have been fantastic and responding to what is quite possibly the most widespread vulnerability the internet has ever seen. Other vendors that have publicly announced that they have affected products are:

Cisco Systems – No listing of products has been published yet, but they are conducting an investigation into which products will receive free software updates.

FortiGuard – Some OS updates have already been released with some workarounds publicly available as well.

Juniper Networks – Juniper has posted a list categorizing devices as to whether they are vulnerable, safe or products that have yet to be determined. They are working on updated releases and have given some workaround solutions.

Synology – Companies with Diskstation or Rackstation NAS devices can expect an update at some point in time today.

Some common Open Source solutions have been affected as well with some DD-WRT and OpenWRT firmwares requiring updates. For end users; at this point there have been some recommendations for password resets for affected sites that have patched their servers and rebuilt their certificates. There is a regularly updated list available here at Mashable.

A Brief Guide to Heartbleed

What is Heartbleed?

You may have heard recently on the news that a new security vulnerability was discovered that could potentially lead to private data being collected from websites. The affected technology is called “OpenSSL” and is used for verifying the identity of websites to allow secure transactions.

Will my antivirus software protect me?

As the vulnerability is on the host server side, it does not locally affect your computer so your antivirus, antimalware and other security programs are not involved. Continue reading

Social Engineering: Today’s Snake Oil Salesmen

Photo Credit: Rebecca Finch (Creative Commons)

Photo Credit: Rebecca Finch (Creative Commons)

The practice of social engineering is as old as social interaction. In pre-history that could mean convincing Thag with a series of grunts that his hunk of meat isn’t as good as your rotten one and getting him to trade. In the middle ages, convincing people through the wonders of your magic tonic (mostly water, sugar and a little alcohol to make it seem medicinal) that you could protect them from the plague. In the 50s, it could even be your doctor convincing you that his brand of cigarettes are the best and aren’t bad for your health as he shifts uncomfortably in his seat from the giant wad of tobacco company money in his pocket. The theme here though is ‘convincing’. If there has ever been an opportunity for someone of dubious moral character to exploit the general population by convincing them to part with their valued money or possessions, you can bet your bottom dollar that opportunity has been seized. Continue reading