The Heartbleed vulnerability has exposed users to theft of ID and credit card details..
Parenting website Mumsnet, software company Oracle and the Canadian tax authorities are amongst the affected sites and users are advised to change their passwords. But Trend Micro’s Vice President for Security Research Rik Ferguson believes that is not necessarily good advice.
How to check for Heartbleed
Speaking on PassWord with Peter Warren, the tech radio show on London’s Resonance 104.4FM www.resonancefm.com/PassWord, Ferguson stressed that website owners should first check whether or not they are affected by the vulnerability, which arises out of faulty code in the Secure Software Layer (SSL) used to protect encrypted information. To check whether or not a server has the vulnerability he recommends that SMEs and bloggers should go to www.trendmicro.com/heartbleed and paste their URL into the testing page. If the test shows that Heartbleed is present, the server must be patched and the private keys revoked until the patch is in place, when new keys can be issued and users notified to change their passwords. Ferguson believes the vulnerability was not created deliberately but arose because of an oversight in Open Source SSL’s testing process. With only four staff – and offering a free product – Open Source SSL is under-resourced so it is not surprising that mistakes are made and go unnoticed.
Future Intelligence editor Peter Warren comments: “This is another example of bad code causing problems and further evidence that we need a new agency to oversee the quality of computer code. New software should be tested and registered before it is released, in the same way that the US Food and Drug Administration tests new drugs for safety.”
