Security for Heartbleed vulnerability
In the last few days the “Heartbleed bug” (CVE-2014-0160 vulnerability) was disclosed. This is a serious vulnerability.
What have we done at Nebtrex
At Nebtrex we have checked and patched any systems that utilised OpenSSL to the latest version that resolves the bug.
What should you do?
We have no reason to believe that any data or credentials was compromised but if you have any concerns (with any site, not just Nebtrex owned sites) we would suggest that you:
- Confirm the site is patched and is no longer vulnerable
- Change your password (after confirming the site is patched or not vulnerable to the Heartbleed bug)
Some suggestion relating to passwords and security
- Use different passwords. An example of this is if you use a password for your online banking do not use this password on another site. If one site is compromised then this information can be potentially utilised on other sites that you use the same information.
- Use strong passwords, make sure the password is a good length in size, a general rule is, the longer the better.
- Mixture of characters, this includes numbers, lower and upper case and special characters. Special characters are characters such as #$%* etc.
- Some sites help enforce strong passwords but some do not, it is up to you to use a good strong password even if the site is not enforcing it.
- Do not use personal information as part of your password strategy, do not use birthdates, your dogs name, wedding date, your childrens names etc. It is too easy to find this information if you are being targeted and this is a common tactic to try and use that type of information to break into your account.
- Utilise two-factor authentication, an example of this is the bank may offer you two factor authentication with a mobile phone. This means when you log into your bank account, they will then send you a SMS code that is only valid for use for a few minutes (sometimes less), failure to enter this code into the site will not allow access or certain functionality. This is a lot more secure as you need to have your phone with you at the time of logging in. Some sites now require this, some have it available but it is not utilised by default and you have to turn it on. If this is available we would suggest that it be utilised to make your access to that site and information a lot more secure. There are other methods of two-factor authentication besides mobile phones and SMS so some sites may offer/utilise alternative methods ot achieve this.
- Password storage, there are different software packages available for personal use that allow you to have a master password to access the program and then the program can be used to store all your other passwords in. It is something to consider if you have a lot of passwords and your are considering how to have good passwords and keep track of them all. I should also mention that like any centralised storage there is also a risk if this is compromised then all your passwords would be compromised, so keep that in mind if choosing this type of software as part of your password management.