Dashlane and the Heartbleed Bug475
Pages:
1
|
LiquidLayer private msg quote post Address this user | |
| https://www.dashlane.com/blog/security/dashlane-heartbleed-bug/ On Monday, April 7th, a vulnerability called Heartbleed was discovered in OpenSSL, a cryptographic library used by websites to handle SSL and HTTPS. The vulnerability is a major concern because OpenSSL is widely used, and it could allow normally encrypted web communications to be intercepted. First, we want to update you on how this impacts Dashlane: Your Dashlane accounts are not impacted by this flaw Your Master Passwords are safe as they are never transmitted Your personal data when transmitted is always ciphered locally with AES 256, which is not affected by the Heartbleed vulnerability More specifically, though we use OpenSSL when syncing your personal data with our servers: Your Master Password is never transmitted over any network, neither is any derivative of your Master Password Your personal data is ciphered locally, with your Master Password, before being sent to our servers, using a cryptographic algorithm not affected by Heartbleed (AES 256) The HeartBleed Bug – What is it? According to Heartbleed.com (a site built by the bug’s discoverers): The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. How does this affect my Dashlane account? As we mentioned above, your Dashlane account and Master Passwords are safe. Our servers have been updated with the patch, we have revoked previous certificates and rolled out new ones. There will be no interruption in our services, and the information that you store in Dashlane is not affected by the Heartbleed bug. Though your Dashlane account remains safe, many of the websites that you use do not have the level of security and encryption that we use. We recommend you generate new passwords on your most important accounts – banking, email, social networks, or any shopping sites where you store your payment info. However, the sites that you use need to employ the patch for this bug before your account is secure again. Otherwise, you’ll need to change your passwords again once that’s done. What’s next? We understand you might be worried as the whole Internet seems to be a bit shaken by this. We see this issue as a test for our security architecture that gave proof to how solid it is. The most important thing is to make sure you use different passwords everywhere, because if your password is stolen on one site, it will not impact other sites; this was true before Heartbleed and is even more true today. We’ll be sure to keep you updated about the situation, and we want to thank you for securing your data in Dashlane. https://www.dashlane.com/blog/security/dashlane-heartbleed-bug/ |
||
| Post 1 • IP flag post | ||
|
|
LiquidLayer private msg quote post Address this user | |
| The critical, widespread Heartbleed bug and you: How to keep your private info safe Visit the source: http://www.pcworld.com/article/2141602/the-heartbleed-bug-and-you-a-users-guide.html No matter how hard you try to stay safe, some aspects of securing your online data are completely out of your hands. That fact was made painfully obvious on Monday, when the Internet got caught with its collective pants down thanks to a critical vulnerability affecting a fundamental tool for secure online communications. Called Heartbleed, the bug has been in the wild for more than two years now. It allows attackers to exploit a critical programming flaw in OpenSSL—an open source implementation of the SSL/TLS encryption protocol. When exploited, the flaw leaks data from a server's memory, which could include SSL site keys, usernames and passwords, and even personal user data such as email, instant messages, and files, according to Finland-based Codenomicon, the security firm that first uncovered Heartbleed in concert with a Google researcher. That's bad. Real bad, though it's important to note that Heartbleed only affects OpenSSL and not the security protocol itself. But due to OpenSSL's popularity with website administrators, the potential number of affected websites is huge. Security and Internet research firm Netcraft estimates that Heartbleed affects around half a million "widely trusted websites." Yahoo has already said it was hit by the Heartbleed bug and Yahoo-owned Tumblr is advising users to update their passwords ASAP. "On the scale of 1 to 10, this [Heartbleed] is an 11," respected security expert Bruce Schneier said on his blog. Yes, this bug is pretty serious and almost certainly affects at least one of your online accounts. But now that we've got the scary stuff out of the way, let's talk about some of the practical measures you need to know about. Keep calm and... Thanks to Hearbleed it's possible that some unscrupulous actors online could have your username and password. And you should definitely change your password on any site that says it was affected. But here's the thing: While OpenSSL already has a fix available, changing your username and password before a site patches its servers achieves nothing. In fact, it could make things worse. "You should change password after the service provider has patched their site. Otherwise you just contribute to the data that can be stolen," Codenomicon spokesperson Ari Takanen told us via email. ...don't carry on Heartbleed was publicized on Monday. So by now, many sites should have scrambled (or are scrambling) to patch their servers. You can find out if a site is still affected by Heartbleed using online checkers provided by LastPass, Qualsys, or Filippo Valsorda. If you find that a site you use often is still affected by the vulnerability, Codenomicon advises to take a "day off" from that site. Heartbleed only exposes data that's held in a server's memory (RAM). This isn't a break-in and read the database type flaw. Your data needs to be in a server's memory when it's attacked to be exposed. That's one reason why changing your password before a site is patched could actually be worse than doing nothing, especially now that Heartbleed is public knowledge. Other considerations Security flaws like this are also a good time for some reminders about how best to secure your online accounts. You should really be using two-factor authentication for all your accounts that offer it. Two-factor authentication requires you to enter an extra code before accessing your online accounts. The code is typically generated by a smartphone app or keychain dongle, but you can also receive codes to your phone via SMS. This extra step requires attackers to know how to generate your two-factor authentication code before they can login to your account. In the case of Heartbleed, two-factor authentication may not have been as useful a defense, but in general this extra step helps keep your account safer than it was. Use a password manager Now's a good time to start using a password manager especially if you're going to be changing some user logins over the next few days. A password manager makes it easy to generate randomized passwords using a combination of letters, numbers, and special characters. It also relieves you of having to memorize every one of those overly complex codes. Password managers often come with other features as well such as secure notes, and autofill for online forms. There are many options out there for password managers, but some of our favorites include LastPass, Dashlane, and KeePass. LastPass recently said in a blog post that it was using the version of OpenSSL affected by Heartbleed; however, because the service encrypts your data before transmitting it online, the company says its users were not at risk of having their data exposed to the bad guys. Heartbleed is certainly a nasty little bug that needs to be taken seriously. But considering it's been in the wild for more than two years, there's not much a user can do now except wait patiently for affected sites to patch their servers before changing any passwords. Once those sites are patched, however, you'll want to change your password as soon as possible. Visit the source: http://www.pcworld.com/article/2141602/the-heartbleed-bug-and-you-a-users-guide.html |
||
| Post 2 • IP flag post | ||
|
|
LiquidLayer private msg quote post Address this user | |
| Heartbleed online site checkers: https://lastpass.com/heartbleed https://www.ssllabs.com/ssltest http://filippo.io/Heartbleed |
||
| Post 3 • IP flag post | ||
|
|
LiquidLayer private msg quote post Address this user | |
| Patching the Heartbleed Bug in OpenSSL - The ServInt Source blog.servint.net/2014/04/08/patching-heartbleed-bug-openssl How to Check and Fix OpenSSL Heartbleed bug in cPanel http://syslint.com/syslint/how-to-check-and-fix-openssl-heartbleed-bug-in-cpanelwhm-servers Patch your WHM/cPanel machine for heartbleed ... - Linux Brigade www.linuxbrigade.com/patch-whmcpanel-machine-heartbleed |
||
| Post 4 • IP flag post | ||
|
|
LiquidLayer private msg quote post Address this user | |
| CVE-2014-0160 - The Heartbleed Bug (openssl) http://www.webhostingtalk.com/showthread.php?p=9075329 http://heartbleed.com/ Quote: The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. More information: http://www.openssl.org/news/secadv_20140407.txt Patches: http://www.openssl.org/news/secadv_20140407.txt http://git.openssl.org/gitweb/?p=ope...diff;h=96db902 Redhat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1084875 Quote: Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, which provided openssl 1.0.1e. __________________ Steven Ciaburri | Proactive Linux Server Management - Rack911.com System Administration Extraordinaire | Follow us on twitter:@Rack911Labs Managed Servers (AS62710), Server Management, and Security Auditing. www.HostingSecList.com - Security notices for the hosting community. |
||
| Post 5 • IP flag post | ||
|
|
LiquidLayer private msg quote post Address this user | |
| Cloud Linux http://www.cloudlinux.com/blog/clnews/464.php Bogdan 04/08/2014 14:05:27 New package openssl-1.0.1e-16.el6_5.7 has been released earlier today that fixes critical security issue CVE-2014-0160 , details could be found here: https://rhn.redhat.com/errata/RHSA-2014-0376.html http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html To update it immediately please do the following: # yum clean all # yum update openssl # cagefsctl --force-update # /etc/init.d/httpd stop # /etc/init.d/httpd start If you are using LiteSpeed you would need to update it to 4.2.9 , related blog post: http://blog.litespeedtech.com/2014/04/08/litespeed-security-patch-to-fix-heartbleed-bug-in-openssl/ |
||
| Post 6 • IP flag post | ||
Pages:
1
