Last week, very few people knew about the term HeartBleed. This week, almost everyone has been bombarded with news about this critical security flaw in OpenSSL - a method of securing internet transactions and your confidential information.
First, the good news: NYSBA systems are not impacted by this security problem!
We were altered to this problem Tuesday and have verified that it does not impact our servers. We use IIS (Internet Information Server) from Microsoft and the impacted systems all run Apache – part of the open source software suite that many websites use. Our only server that runs Apache is the Recommind search server which does not use the impacted software (OpenSSL) since there is no encrypted data on that server that could be compromised.
As an extra precaution, our firewall vendor upgraded our firewall software Tuesday night to prevent these types of attacks even though we do not use SSL.
At this point, I won't duplicate what others are saying, but I'd like to give members a reference for what they should do to protect online accounts. Now that the bug is public, many hackers are targeting sites that have not been fixed to attempt to gather information about your usernames and passwords. This means that if you change your password on a site that has not been fixed, you stand an even greater chance of having your information stolen. I've included a link below to let you see who has patched their site and if you need to change your password:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
This site is constantly updated so you can check daily for updates. So far, Facebook and Google have been patched, LinkedIn has not and they are not sure yet about Twitter.
Once a site has been patched - then you should change your password, but not before.