Attention All Clients (whether hosted by Brainwrap or not):
As you may have heard, the other day news broke about a very serious security issue which impacts around half of the web servers on the internet.
Commonly known as the "Heartbleed" bug, it actually refers to an issue within OpenSSL, which is used to encrypt data as it's transferred from one system to another.
Instead of trying to describe how serious this is myself, here's a few quotes from top security experts:
This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, very large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.
Even if you’ve never heard of OpenSSL, it’s probably a part of your life in one way or another — or, more likely, in many ways. The apps you use, the sites you visit; if they encrypt the data they send back and forth, there’s a good chance they use OpenSSL to do it. The Apache web server that powers something like 50% of the Internet’s web sites, for example, utilizes OpenSSL.
Through a bug that security researchers have dubbed “Heartbleed“, it seems that it’s possible to trick almost any system running any version of OpenSSL from the past 2 years into revealing chunks of data sitting in its system memory.
Why that’s bad: very, very sensitive data often sits in a server’s system memory, including the keys it uses to encrypt and decrypt communication (read: usernames, passwords, credit cards, etc.) This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn’t encrypted it all. Armed with those keys, an attacker could also impersonate an otherwise secure site/server in a way that would fool many of your browser’s built-in security checks.
2. What sites are affected?
Citing an April survey from research site Netcraft, Codenomicon’s Heartbleed website says roughly two-thirds of active sites on the Internet run OpenSSL. So, yeah, a lot.
Among the big names affected was Yahoo, which is running OpenSSL. In a statement to the AP, Yahoo says its bigger services such as Finance and Tumblr have been fixed, but they’re still working on other Yahoo products. Tumblr is urging its users to change their passwords as soon as possible.
...A Heartbleed test has been created that lets users plug in a website name to determine if it’s safe. Qualys also hosts a similar inspection of SSL. Vox reports Google and Facebook have addressed the issue, while Microsoft is monitoring the situation. Amazon says it updated its services to address the bug.
From Bruce Schneier (security expert, CTO of Co3 Systems, Harvard Berkman Center fellow, EFF board member):
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
OK, so now that I've scared the heck out of every one of my clients, here's what else you need to know:
First: The Brainwrap servers have already been patched and rebooted. You can test this out by entering your own domain name here.
Second: I have already reset all of the actual administrative server passwords before even sending this out.
Third: I have already reset all of your hosting control panel (cPanel) passwords for clients who host their sites through Brainwrap.
Fourth: I am in the process of resetting my own master Drupal administrator password for all sites. This should be completed by Friday morning.
Fifth: I am also in the process of revoking and re-keying your SSL certificates; however, this may take some time since there's literally a half a million other SSL certificates being revoked/re-keyed right now as well.
Sixth...and this is the big one: Yes, security experts STRONGLY recommend that every single password on every one of your websites be reset. This means all email accounts, FTP/cPanel logins, database passwords, as well as logins to your Drupal, WordPress, OpenCart, Zen Cart, PHPList or any other script that you run.
Seventh: This has nothing to do specifically with Brainwrap or LiquidWeb servers in particular; as noted above, it impacts over half the servers and 2/3 of all websites globally. In other words, even if your website is not hosted by Brainwrap, you should check with your hosting provider and reset your passwords after confirming that your host server has been patched.
Eighth: As noted above, you'll need to reset your passwords for OTHER online services as well, including (but not limited to) the following:
- Tumblr
- Google/Gmail/YouTube
- Yahoo (and Yahoo Mail)
- GoDaddy
- Intuit (Quicken/QuickBooks)
- DropBox
- LastPass
- OKCupid
- SoundCloud
The following services have uncertain status at this time, but I'd strongly recommend checking into it and resetting your passwords with them as well:
- Apple/iTunes
- NetFlix
- The IRS
- H&R Block
- HealthcareGov
- eBay
IMPORTANT: Make certain that the service you're resetting your password for has patched and rebooted their server before you reset your password! If they haven't done so yet, then resetting your password is somewhat pointless since the new one will be vulnerable as well.
Supposedly other major services such as Amazon, LinkedIn, MSN, AOL, PayPal and Target are not vulnerable, but given the scope of this issue I'd recommend resetting those passwords while you're at it.
In short, this is an ugly one, possibly the worst security breach the internet has ever had, but I'm on it and doing everything I can to secure our little section of it.
If you have any questions please feel free to contact me at 248 545-7570 or by email (but I'd strongly advise resetting your email password first).
