The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
All LerriHost infrastructure were patched as soon as the vulnerability was announced. We have also reissued our own SSL certificates to secure our customers' data.
We strongly advice you to change your password for your billing account, hosting account and webmail.
The University of Surrey's Prof Alan Woodward is among security experts to have suggested internet users should now update their login details.
He suggests the following rules should be observed when picking a new password.
Don't choose one obviously associated with you
Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet's name you're in trouble.
Choose words that don't appear in a dictionary
Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a mixture of unusual characters
You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!
Have different passwords for different sites and systems
If hackers compromise one system you do not want them having the key to unlock all your other accounts.
Keep them safely
With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.
- NCSC-FI case# 788210
- OpenSSL Security Advisory(published 7th of April 2014, ~17:30 UTC)
- CloudFlare: Staying ahead of OpenSSL vulnerabilities(published 7th of April 2014, ~18:00 UTC)
- heartbleed.com(published 7th of April 2014, ~19:00 UTC)
- Ubuntu / Security Notice USN-2165-1
- FreshPorts / openssl 1.0.1_10
- Tor Project / OpenSSL bug CVE-2014-0160
- RedHat / RHSA-2014:0376-1
- CentOS / CESA-2014:0376
- Fedora / Status on CVE-2014-0160
- CERT/CC (USA)
- NCSC-FI (Finland)
- CERT.at (Austria)
- CIRCL (Luxembourg)
- CERT-FR (France)
- JPCERT/CC (Japan)
- CERT-SE (Sweden)
- NorCERT (Norway)
- NCSC-NL (Netherlands)
- CNCERT/CC (People's Republic of China)
- Public Safety Canada
- LITNET CERT (Lithuania)
- MyCERT (Malaysia)
- UNAM-CERT (Mexico)
- SingCERT (Singapore)
- Q-CERT (Qatar)
Friday, April 11, 2014