TexasCHLforum.com

92f-fan wrote:The heartbleed vulnerability has only been known for a short time
If you have not logged in to a site in the past 30 days or so your password couldn't have been put at risk by this flaw.

Actually, that's not completely correct. The Heartbleed vulnerability was discovered and made public only a few days ago, but the flaw in OpenSSL has existed for quite some time.

There is no evidence that the flaw was previously exploited; but there is no evidence it wasn't, either.

After being among the thousands who've had debit card exposure the past months, I'm more than a little cautious.

92f-fan wrote: "If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed," Sophos' Asia Pacific head of technology Paul Ducklin said.

"And it's fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up."

Yep. I wholly agree.

What is amazing to me right now is that I'm not receiving Heartbleed notifications from any of my financial institutions. That includes Fidelity, Vanguard, Zions Bank, my mortgage holder, and my credit union.

Is anyone getting info about Heartbleed from their financial accounts?

Upfront, let me note that this does not affect the Forum, so no worries there.

However, if you haven't seen the news about this during the past day or two, I wanted to bring it to your attention because it has the potential to impact a lot of the websites you may use. The snapshot: Heartbleed (officially CVE-2014-0160) is a recently-discovered security vulnerability in OpenSSL encryption, which is used by millions of websites to protect sensitive data like passwords or credit card information. SSL encryption is the most common way to pass those sensitive data from your computer to a website; you'll typically see "https" in your browser's address bar instead of "http" when SSL is enabled. OpenSSL is one of the most-frequently employed SSL encryption methodologies.

Essentially, this vulnerability can allow anyone to monitor webserver transactions as if the information was not encrypted, and capture things like passwords, email and physical addresses, bank account information, and credit card data.

You will likely want to change all your passwords at any sites with which you exchange any financial information. However, you may also need to change those passwords more than once. Major commercial sites like Amazon have already patched the issue, so changing your password there right now would be effective. But sites that don't have such large, dedicated IT security staff--for example, smaller retailers and regional banks--may not have yet applied the fix. So until they rectify the problem on their servers, changing your password would be ineffective; the new password is still exposed.

Below are some links so you can get up to speed on Heartbleed. First, though, my strongest piece of personal advice is never to use the same password on multiple sites. It's a pain; I know. But this new security flaw clearly illustrates the reason: if you use the same password for your Bank of America account as you do for "ABC Aftermarket Gun Grips," this SSL security vulnerability could yield your password from the small retailer and potentially be used to exploit your personal bank account, even though BofA has patched their systems to protect against the flaw. Also, as much as everyone hates it, use strong passwords...passwords as strong as the servers will allow. If the website permits special characters like #!~*^ and the like, use them. Never, ever, use a simple password that can be easily discovered using brute-force algorithms.

• http://heartbleed.com/
• http://www.usatoday.com/story/tech/2014 ... s/7501033/
• http://www.thewire.com/technology/2014/ ... et/360366/
• http://www.cnet.com/news/how-to-protect ... bleed-bug/