Heartbleed Bug: Answering your Questions

The discovery of the Heartbleed bug, an encryption vulnerability in OpenSSL, has caused significant concern for individuals and the business community.

The vulnerability has affected popular websites and services – many of which were considered to be secure. For my readers and business partners, I want to ensure that one thing is clear;
None of UIM’s sites, or partner’s sites have been affected by Heartbleed.

At UIM we have reviewed all of our OpenSSL-related items and continue to monitor our systems to make sure that your, and our information remains secure. To ensure that you are well informed and protected, I have compiled a list of answers to important questions about the Heartbleed vulnerability.

The frustration and confusion surrounding Heartbleed is primarily because it is NOT a virus – it is a vulnerability. A virus will actively try to get into your computer, network or devices. Heartbleed isn’t active, it’s a design flaw in OpenSSL.
Heartbleed itself isn’t malicious. It doesn’t steal your information or record your activity. What it does is provide a gateway that other malicious viruses/hackers can use to reach your information.

Heartbleed has affected a site I use has my info been stolen?

Not necessarily. Being affected by Heartbleed means that your information is compromised, but it may not have been stolen.

What can I do to keep my info and my company’s info safe?

Create new passwords AFTER the vulnerability has been fixed. If you change your password before the vulnerability has been corrected you will have compromised the new password as well.
Monitor your credit card information and purchasing history
Ask your technology partner to test your systems or test yourself using: filippo.io/Heartbleed

Company’s IT departments and technology partners have been spending the last few days correcting for this security breach and many have fixed the issue. In most cases, these sites are informing their users that the Heartbleed vulnerability has been fixed or didn’t affect them.
If you cannot find out if a company’s website has been secured, contact their support prior to changing your password/information.

Which major sites are vulnerable?

Any password used on these sites should be changed on every site you’ve used that password for. E.g If your Gmail password is the same as your banking password, change both.

  • Facebook
  • Gmail
  • Tumblr
  • Yahoo mail
  • GoDaddy
  • Dropbox
  • And many more

A Quick Description of How it Works

Heartbleed allows a virus/hacker to grab 64kb of memory repeatedly. The vulnerability allows the user to request a legitimate piece of information, but put parameters on it which exceed the normal value for the legitimate piece of information. Instead of stopping the request after the legitimate information is delivered, the affected system will continue to provide additional information until the parameters are met.
This may allow the SSL session to be decrypted and critical information, such as usernames and passwords to be stolen.
If you have any other questions please feel free to contact me and I will answer your concerns directly.