Important: Heartbleed SSL issue!

[nylyon-(Admin) 7,878]

You may be hearing about a serious internet bug (click here).  What does this mean to RedSquare and more importantly what does this mean to you?  Click the link to read the technical portion.

 

First - RedSquare does NOT use SSL or OpenSSL to process login information.  What this means in non-technical terms is RedSquare is NOT affected by this issue.  BUT because we don't use any encryption on your passwords, they are open for interception.  When we established the site, I elected not to use SSL because we do not handle any financial transactions (PayPal is used for any financial transactions more on that later). As a worst case scenario, anyone who wanted to "hack" your RS account would gain access to your PM's, and honestly there's no interest in a hacker doing so as there's no gain for them and we're a low volume site and don't show on their radar!

 

Second - You are likely affected by other sites that you visit.  These include sites where you enter financial information such as credit cards, e-mail passwords, banking systems etc.  This BUG is not new, it's been around for a couple of years but it's just coming to the surface.  The exposure is very large.  It's important to realize that because the bug was announced today, the exposure is greater now than yesterday because hackers NOW know what they need to do.

 

What can you do?  If you've been following "Safe Computing" practices you know already that rule #1 is NEVER EVER have the same password for your bank account / PayPal / credit cards etc as your email, forum, or others.  Until the issue is resolved by your institution, simply DO NOT log into their site is patched.  Now, if you're among the vast majority who's password IS the same as your e-mail avoid accessing your e-mail.

 

Going forward NEVER EVER have the same password for your critical accounts (bank, credit card etc) as your non-critical accounts (RedSquare, eMail etc)  When these things are announced stop accessing the critical sites.  When they are patched, change your password (in the event your was disclosed). 

 

I hope that none of you are affected, but this is something to be aware of.

[nylyon-(Admin) 7,878]

Additional information is here:

 

http://heartbleed.com

[bmsgaffer 2,053]

Thanks for the extra info!

[dennist 139]

Thanks Karl.

[Hodge71 665]

Thanks so much Karl. I had no clue this was even going around. The internet is a wonderful thing but at the same time is very easy to lose everything by relying on it too much

Edited April 9, 2014 by hodge71

[rexman72 210]

this is scarey stuff

[AMC RULES 37,195]

How will we know when it's safe to get back into the water?   

[KATO 115]

WOW all our servers at work are open source linux ... i just notified

the I.T guys they had no idea

[GlenPettit 1,717]

Thank gosh I'm a Mackie boy  (MacIntosh,  Apple),

I have no idea what a bug or virus is, after 20+ years.

Glen

[nylyon-(Admin) 7,878]

Me too Glen, BUT this isn't a Windows thing, it's an SSL thing.... bottom line you're just as vulnerable with a Mac as with a PC or Tablet.

How will we know when it's safe to get back into the water?   

 

It all depends on how diligent the store / bank / credit card company etc... is.  I have read that sites like Yahoo have already been repaired, my one credit card company will be fixed Thursday others I have no word, including my bank!

[HorseFixer 2,013]

Thanks for the heads up! 

 

~Duke 

[nylyon-(Admin) 7,878]

Still being fixed, but here's an update:

 

Who was, and who wasn't, affected by Heartbleed

Prominent sites and services openly attacked using Heartbleed, for which you absolutely have to change passwords: Yahoo and, by association, its subsidiaries Flickr and Tumblr.

Prominent sites that have sent out Heartbleed-related password-change emails: Ars Technica, IFTTT.com.

Prominent sites and services formerly vulnerable to Heartbleed attacks, for which you probably should change passwords: Blogger/Blogspot, Dropbox, Facebook, Electronic Frontier Foundation, Etsy, Google, Imgur, Instagram, Netflix, Pinterest, Stack Overflow, Twitter, Wikipedia, Woot, Wordpress.com/Wordpress.org and YouTube.

Prominent sites and services that don't appear to have been vulnerable to Heartbleed (but we can't be certain): Amazon, AOL, Apple, Ask.com, Bank of America, Bing, Buzzfeed, Capital One, Chase, CNET, Craigslist, eBay, ESPN, Evernote, GoDaddy, Hotmail, HSBC, Huffington Post, Intuit, LinkedIn, Live.com, Microsoft, Newegg, The New York Times, PayPal, Reddit, Salesforce, Target, TD Bank, Walmart, Wells Fargo and Zillow.

If you want the gory technical details on what Heartbleed is and how it works, visit Heartbleed.com, read this excellent but dense explanation of Heartbleed by Australian security researcher Troy Hunt or watch this video by security researcher Zulfikar Ramzan.

[nylyon-(Admin) 7,878]

The issue doesn't seem to get a lot of news air time, but don't let that fool you to thinking this is a cry wolf type of deal.  It's serious enough that in Canada, they took down the tax services site due to this bug and late filers will not be penalized. 

 

http://www.ctvnews.ca/canada/canadians-filing-taxes-late-due-to-heartbleed-bug-won-t-face-penalties-cra-1.1767727

[KATO 115]

Gettin lots of air time up here... almost everybody  talkin about it

definitely serious