Heartbleed – the reason you need to update your passwords
Heartbleed is a vulnerability in the OpenSSL encryption code that is used by two-thirds of all websites. A popular method of encryption because it is open source and freely available, OpenSSL ensures your private information is securely transferred to the web servers you use. But Heartbleed, discovered on Monday by a Google engineer, results in those web servers passing on more information than they should when given the right type of request. While many of the sites affected will be patched by now, it’s still important to change your passwords on any sites impacted because your details may have been compromised.
Just as the personal income tax filing deadline approaches at the end of April, the Canada Revenue Agency took down its online services such as Efile, Netfile, and user account access. The CRA described the measures as preventative and says its working to implement a fix to the Heartbleed vulnerability. Taxpayers who are delayed in filing due to the bug will not be penalized as the CRA plans to extend the tax filing deadline beyond April 30 for a period that is equal to the service disruption. If you keep an online account at the CRA for your business or personal tax management, be sure to update your passwords once the site comes back online.
It appears Freshbooks avoided disaster. The Toronto-based cloud accounting software learned about the Heartbleed vulnerability early on, and deployed its fix by 8:00 PM ET on Monday, according to a blog post from CEO Mike McDerment. The advice its giving to users is to consider changing your password, especially if you were using the site between 1:00 – 8:00 PM ET on Monday or if you use the same password for several websites.
While Rogers.com wasn’t impacted by Heartbleed, its webmail provider is Yahoo, and Yahoo was impacted by the vulnerability. Yahoo implemented a fix to the problem shortly after the issue became known, so if you are a user of Rogers/Yahoo web mail services it would be wise to go in and change your password. Even though the problem was fixed quickly, it’s possible the vulnerability was exploited by hackers prior to the fix, accessing your account password. Plus, a password change is easy to do and can’t hurt.
Some Telus sites
Telus reported yesterday that some of its websites have been taken offline to patch the Heartbleed vulnerability. What is not known at the moment is how many Telus customers are affected, or what websites it took down as a result of the bug. While tests for Telus.com and Telus’ webmail service reported no vulnerability, a test for Telushealth.com came back inconclusive. The filippo test reported a “broken pipe” that might mean Telus is taking action to fix the bug. When asked for comment, Telus provided this statement: “TELUS took a couple of websites offline as soon as Heartbleed became known, and applied the patch. That work is done, and the sites back online. We are communicating with customers.”
Sun News Network
On a University of Michigan list of the top 1000 vulnerable domains affected by Hearbleed, the only dot-ca site mentioned is sunnewsnetwork.ca. As of time of publication, testing the domain shows that it is still vulnerable. One area where personal information could be at risk is the “Sun Force” form submission. The Sun encourages readers to sign up to send in breaking news photos and videos, collecting first and last names, phone numbers, email addresses, but no passwords.
BBM for iPhone and Android
BlackBerry released a statement that it is investigating the Heartbleed vulnerability, but it can confirm that BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected. What is affected is its BlackBerry Messenger app on the iOS and Android platforms. BlackBerry says there are no mitigations or workarounds (i.e. no way to solve the problem) at present.
E-commerce services provider Shopify says its customers are safe from Heartbleed, but it’s not a bad idea to update your passwords anyway. When Heartbleed became a known issue on Monday, Shopify’s network security and operations team went to work to update its hosting infrastructure and had a fix rolled out by 7:00 PM ET. All secondary systems were secured by midnight. Overnight, all keys and certificates were re-issued. Shopify suggests updating credentials like passwords, payment gateway, and API keys as a precaution.
Other sites affected
Of course there are a long list of affected domains that are not Canadian-based that will be used by many Canadians. Some of the web’s most popular destinations including Facebook, Yahoo, Tumblr, Pinterest, Google, and more are effected. Check out Mashable’s list and you can check out any website you like using this online tool or use this Chrome browser extension. If you are a web admin and want to make sure you’ve secured your site against Hearbleed, follow Claudiu Popa’s guide from his blog post hosted on ITBusiness.ca.