The Heartbleed bug! Should I change my passwords?

I had several acquaintances and friends call me over the past week asking me whether the Heartbleed bug affects them and if they should change their passwords. The short answer is, yes. However, Mashable did a nifty lookup table which lets you see which websites are affected and whether or not you should change your password. Here is the link:


http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/


That being said, just to be on the safe side, I've changed all my passwords. I know, it's a pain in the butt, but this bug has been going around for a while which means malicious actors have had a really long time to exploit it. As an aside, make sure to review the following as well:


1. Secret questions. I've seen compromised accounts where the malicious actors had been sneaky enough to change the secret questions (i.e. those questions used when recovering a password). This way, if the password was changed, the malicious actor has a way in anyway.
2. Auxiliary email account. A lot of accounts have email accounts (one or more) tied to them, usually for password recovery purposes, etc... Just make sure all the email accounts listed there are yours.
3. Mobile #. Some accounts use mobile texts in order to aid in the safe recovery of lost passwords, etc... Once again, it would be possible for malicious actors who have compromised an account to change this. Just make sure the mobile # on the account is yours.


Better be safe than sorry!!

KISS principle against phishing scams

Ever had one of those 'oops' moments when you think a link inside an email is trustworthy and safe only to figure out, precisely 1/100th of a second after you click on it that you've been suckered. Don't beat yourself up, a lot of people have. And that is because phishing scams and malicious links within emails are getting increasingly sophisticated and convincing. What about me, you ask? Well, I haven't fallen for any of it, but I did feel on a couple of occasions as though I would have come close, were it not for a very simple trick I use.


What's the trick? Simple, don't ever use your corporate email or principal personal email to register to anything on the internet. For example, I got a fabulously convincing LinkedIn connection request, from LinkedIn no less (should one investigate the email header, it really did come from LinkedIn). Moreover, the "Connect" button really does link to LinkedIn. Wow, looks totally legit... Except of course for one small problem... The email account I use for LinkedIn isn't my corporate email or my principal personal email account. As such, should I receive handy dandy LinkedIn request on either of those accounts, I would know (or at least suspect) that this is some sort of scam.


What surprises me is how many enterprises don't put into place strict rules forbidding employees from using their corporate email to register to anything. IT professionals everywhere should forbid such practices and quite literally build email filters that quarantine any emails that come LinkedIn, Facebook, Twitter, etc... If employees absolutely feel the need to use a corporate identity to register to a web service, make them use an alternate email like Joe-Web@acme.com as opposed to just joe@acme.com. On all emails destined to joe-web@acme.com, quarantine any emails with links in them.


Also, don't use fax machines capable of emailing directly to people inside the company. Always make sure someone is responsible for vetting incoming faxes and then forwarding them, using a secure email account (i.e. with a digital signature) to employees. I say this because a lot of people have fallen for the "Office Fax : You have a fax waiting for you..." malicious emails.


Oh, and for those who are really concerned about malicious emails successfully acting as a gateway for malware into the enterprise, think of using something like SandBoxie to run you email clients in. If something 'sneaks in', just blow the sandbox!!!


cheers,
Luis