But, to play devil's advocate, doesn't transmitting a new password
increase the odds of it being intercepted? Might you be better off
leaving it alone if it has not been intercepted yet?
John Lee
At 09:41 AM 04/10/2014, Bahrs, Art wrote:
>Hi All :)
> Ok... some things to think about concerning the HeartBleed
> vulnerability....
>
> - Change your passwords
> - This is a 'DOH'... as we all should be changing our
> passwords every 45-90 days as a minimum... You do change yours
> regularly don't you?
> - This is not a new vulnerability!
> - it's been around for a couple years...
> - we must assume that the exploitation of it has been around
> for some time... just not in the news
> - Remember this hasn't been remediated yet by a WHOLE LOT of sites!
> - this means that we need to keep changing our passwords
> regularly with a very high frequency until patching is complete
> - Use good passwords...
> - I used 'good' rather than 'strong' for the simple reason of
> dictionaries and/or Rainbow Tables
> - At least 10+ characters long
> - Use Mixed Case
> - Use Special Characters (@, !, ^, $)
> - SPELL THINGS WRONG intentionally!
> - e.g. EyeR3edB0ok$ instead of IReadBooks
>
>Art "They are out to get us!!! " Bahrs, {insert lots of letters of
>security credentials for those who care about those things hehehe}
>
>
>Art Bahrs, CISSP
>Security Engineer (Oregon Region)
>(971) 282-0927
>
>
>-----Original Message-----
>From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On
>Behalf Of James B. Byrne
>Sent: Thursday, April 10, 2014 6:12 AM
>To: [log in to unmask]
>Subject: Re: OT OpenSSL-1.0.1 Heartbeat exploit named heartbleed
>
>On Thu, April 10, 2014 08:45, Mark Ranft wrote:
> > Might this vulnerability be a concern for MPE posix OpenSSL users?
> >
> > The product, HP WebWise MPE/iX Secure Web Server, contained Openssl
> > 0.9.7d cryptographic/SSL library
> >
> > And there are those that downloaded OpenSLL for sftp. The version I
> > have is openssl-0.9.6a-mpe.tar.
> >
>
>No, any version of OpenSSL prior to 1.0.1 is not affected by this
>vulnerability as the heartbeat protocol was not introduced before 2012 and
>v.1.0.1 was the first release to include it.
>
>--
>*** E-Mail is NOT a SECURE channel ***
>James B. Byrne mailto:[log in to unmask]
>Harte & Lyne Limited http://www.harte-lyne.ca
>9 Brockley Drive vox: +1 905 561 1241
>Hamilton, Ontario fax: +1 905 561 0757
>Canada L8E 3C3
>
>* To join/leave the list, search archives, change list settings, *
>* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
>
>________________________________
>
>This message is intended for the sole use of the addressee, and may
>contain information that is privileged, confidential and exempt from
>disclosure under applicable law. If you are not the addressee you
>are hereby notified that you may not use, copy, disclose, or
>distribute to anyone the message or any information contained in the
>message. If you have received this message in error, please
>immediately advise the sender by reply email and delete this message.
>
>* To join/leave the list, search archives, change list settings, *
>* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|