Heartbleed Thoughts – and a Phishing Warning

There is lots of noise on the interwebs about the Heartbleed vulnerability. Here’s my thoughts on the whole thing, in no particular order:>

  •  This vulnerability has been around for two years, I believe. And there is no logging available that would tell you that you or a web site got attacked.
  •  The Internet Storm Center (isc.sans.org) guys did raise their alert level to yellow, and strongly encouraged all site administrators to check and fix. But that applies to site administrators, not to “Aunt Minnie”.
  •  Media reports that tell you you must change all your passwords immediately are overblown. Although a good idea to reset passwords occasionally, it might be better to wait on that for a few days. Of course, when you reset your password, don’t use the same one as on other sites.
  •  ‘Watchful Waiting’ is probably the best action for individual users to take now. People should watch their financial accounts, perhaps change their passwords in a few days (which will let sites remediate as needed). And make sure that you don’t share credentials (user/pass) between sites.
  •  it is probably good that site owners make sure their sites are not vulnerable, and patch accordingly.

But there is some excitability going on, and perhaps the risk to the user is not as great as the media would make it seem.

Here’s what I think:  *If* a site was vulnerable, and *if* you logged into that system, and *if* an evildoer did the attack after you logged in, then you *might* have your credentials stolen. And *if* you changed your password on a vulnerable site during an attack, your credentials *might* be compromised. But that is a lot of *if’s* to worry about.

Although the “Heartbleed” thing is a risk, my view is “Watchful Waiting” is a good idea, but “Don’t Panic”.

Now, you may start seeing some “Heartbleed Phishing” emails, with some dire warnings and helpful links for you to click on to ‘help’ you reset your password. In general, it is not a good idea to click on a link in an email, even if it looks legitimate. If you want to reset your password on a site, then go there by manually typing in the site link, logging in, and then change your password. Don’t click on those helpful links in any email.

In the meantime, since you are practicing Safe Computing (see here for some hints). Don’t Panic; just be careful out there.


Leave a Reply

Name and email are required. Your email address will not be published.