Heartbleed Over-Hype. Today, I want to talk about some of the media hype related to the Heartbleed vulnerability.
It’s important to first state that this is a critical vulnerability, one that both enterprises and consumers need to be aware of and, for which, patches MUST be applied. That said, the vulnerability has been overblown in several media channels and it’s worth stating the counterpoint to the hype that is out there. Last week, everybody was jumping all over Heartbleed and I don’t expect the attention to go away anytime soon. The problem, though, was the response from mainstream media. News Outlets, Late Night Talk Show hosts, and Morning Shows were all discussing Heartbleed and relying on their “new media experts” to provide real details. These are the people that find interesting Twitter posts and maintain the television shows’ Facebook page. The facts are pretty straightforward: The third bullet point is, by far, the most important one.
Related Articles: Resources: Title image courtesy of ShutterStock. La CNIL publie ses recommandations concernant Heartbleed. Si nous avons récemment pu interroger la CNIL concernant la faille Heartbleed, celle-ci n'avait pas encore réagi officiellement sur le sujet.
C'est désormais le cas, et la Commission indique qu'elle pourra mener des contrôles chez ceux qui ne se seront pas mis en conformité. « Lundi 7 avril une faille de sécurité a été découverte dans certaines versions du logiciel OpenSSL, sur lequel s’appuie une grande partie de la sécurité du Web. L’article 34 de la loi Informatique et Libertés impose une obligation de sécurisation des données à caractère personnel. La CNIL fait le point sur les conséquences de cette faille et les actions à mettre en œuvre. » C'est par ces quelques lignes que la Commission a introduit son guide des règles à suivre suite à la faille Heartbleed qui secoue internet depuis quelques jours. Outre le rappel habituel des faits et des risques, la CNIL donne tout un tas de recommandations, tant aux éditeurs de sites qu'aux utilisateurs.
David Legrand.
The Bleeding Hearts Club: Heartbleed Recovery for System Administrators. The Heartbleed SSL vulnerability presents significant concerns for users and major challenges for site operators.
This article presents a series of steps server and site owners should carry out as soon as possible to help protect the public. We acknowledge that some steps might not be feasible, important, or even relevant for every site, so the steps are given in order both of their importance and the order they should be carried out. 1. Update Your Servers If you haven't yet, update any and all of your systems that use OpenSSL for TLS encrypted communications. The vulnerable OpenSSL version numbers are 1.0.1 through 1.0.1f and 1.0.2-beta1.
If your operating system has not yet released an updated package, download openssl-1.0.1g.tar.gz directly from and follow the instructions in the INSTALL text file to compile the new version locally. After installing a fixed version of OpenSSL, be sure to restart all services that depend on it. Mashable. An encryption flaw called the Heartbleed bug that has exposed a collection of popular websites — from Airbnb and Yahoo to NASA and OKCupid — could be one of the biggest security threats the Internet has ever seen.
If you have logged into any of the affected sites over the past two years, your account information could be compromised, allowing cybercriminals to snap up your credit card information or steal your passwords. You're likely affected either directly or indirectly by the bug, which was found by a member of Google's security team and a software firm named Codenomicon.
The bad news: There's not a lot you can do about it now. It's the responsibility of Internet companies to update their servers to deal with Heartbleed, and once they do, you can take action (see below). The issue involves network software called OpenSSL, which is an open-source set of libraries for encrypting online services. First, check which sites you use are affected. Have something to add to this story?