• HOME
• ABOUT US
• OUR SERVICES
• CONTACT US
• CUSTOMER SUPPORT
• BLOG

• Home>
• Blog > Heartbleed Bug - What you should know...

Heartbleed Bug: What you need to know...

11th April 2014

You might have seen various coverage in the Press, on TV, and online - as well as from e-mails from various suppliers about a new vulnerability known as "Heartbleed" (a not particularly elegant name).

Before we go into some background on what it is, we want to reassure customers that our engineers are aware of the risk - here's how it might affect you with your services with us:

• Customers with Windows Servers, wither Dedicated, Virtual or On-Premise are not vulnerable - Windows Systems are not using the "SSL" software that this vulnerability exploits.

• All of our Windows Web Hosting - including Essentials, Xi and any legacy packages are unaffected by this issue

• Although it may be expected, none of our Linux Web Hosting Services are affected and were never affected by this issue.

• Customers using any of our Hosted & Cloud services - for example Agility Desktop, Agility Mail and so on are not affected by this issue

• We are aware of a small possible vulnerability with some of our Firewall Services, and we're working to patch those systems and protect them from this issue - we anticipate there will be zero vulnerability in this area by 12/04/14.

Beyond this, we are checking to see if any customer with active maintenance has any vulnerability, but as a general rule, customers are secure as our technology and services do not use the vulnerable software or are using versions that are already secure.

So what is this Heartbleed thing anyhow?

In simple terms, it's a way of compromising the security of "SSL" - this is the technology used to secure communications to various services - often Web Sites, and you most commonly recognise it when you see a "padlock" on your browser in the address bar. It's used by a huge number of companies, from banking to google and facebook.

Why isn't everything affected?

Put simply - because not everyone uses the same software for "SSL" technology. Even if they are using the type (specifically Open SSL), it's only vulnerable in more recent version - effectively in more recent versions someone introduced a bug. This might come as a surprise as we tend to think that newer versions are just more secure, but the reality is, software can become less secure whenever a change is made just as much as it can become more secure.

This doesn't affect Windows...

It might come as a surprise also to some that Windows itself isn't vulnerable - although people tend to think that Windows is generally insecure (a pretty old and long since banished reality, this issue doesn't affect it because it isn't using Open SSL. However you might have firewalls, routers and other equipment that is vulnerable that sits in front of it - so they need consideration.

So what can I do?

If you're a VPW customer, and you have fully managed services from us, you'll need to do nothing - if we are aware of a problem with equipment we actively support, and that you're vulnerable to, we'll get it fixed (although right now, we're not aware of any customer that will actively be affected). If you're not a customer yet, you might need help from an IT company to check particularly if you aren't technically minded. At VPW, we can help you even if you aren't currently a customer- especially if you're based in Exeter, Devon, Somerset or Dorset - as we're based in the South West.

Should I reset my passwords?

Well the jury is out - some people suggest you should change all your passwords, but the reality is there's no point changing them if they're secure already, or if the service or system you're using is still vulnerable to the attack. It's not easy to tell either as a normal person and many companies won't want to openly talk about how they're vulnerable.

In general though, we'd suggest if you're the type of person that uses the same password for everything, it's about time you stopped - regardless of this bug, because security issues like this won't go away and sooner or later you might find yourself caught out. It's worth thinking of ways to remember passwords and vary them on each site or service - you can write many passwords down, just don't leave them with your computer (especially in an office) and remember that in most cases, passwords are only used online, so unless someone breaks into your house, the passwords you write down won't really be that insecure. Just make sure the most sensitive passwords really are kept safe.

Here are some tips for passwords generally:

• Instead of just writing down passwords, you could make it harder to find/use them by using a little cunning - don't write down passwords, but just write down a hint as to what they were about - eg as an aide memoir - for example if you wanted a password for Facebook that was "Happy Pigeons" you could write down "Facebook - "smiling birds" - it's vague enough you can't guess (unless you're picking something I can guess by knowing you - like if you love pigeons!), and helpful enough that you can work out what you meant.
• If you need to use numbers, don't stick a 1 at the end (seriously, password1 isn't actually trick to guess, nor is your name with a 1 etc). But we also suggest you don't do obvious things like swap all E letters to 3 - everyone knows that. Perhaps make up some random number rules of your own (like add 5 to a letter - so e, being the 5th letter of the alphabet is represented with 10 - so a password like "mylovelyhands" becomes "mylov10lyhands". Again, you might want to vary this for some sites to make the pattern harder to remember - you could even write this clue down - it isn't that obvious still to anyone.
• Do the same sort of thing for letters - perhaps replace every 3rd letter of a password with a number, or make it a capital letter. All those kinds of things - it makes it less obvious and guessable, but gives a balance of being rememberable for you too - we realise the reality is that you won't just use complex passwords all the time (even though you should!)
• Add symbols - it's a really handy useful thing to do - it makes guessing and cracking passwords even harder if you add some symbols - hashes, asterisks, dollar signs - you name it - use them wherever you can (any credible system should allow this in passwords).

It can be relatively simple to create passwords that are hard to guess without a lot of effort, harder to crack by automated tools, yet sufficiently memorable using these types of techniques - all you have to do is remember your "rules" (don't write those down) for making passwords, and then use helpful but not too obvious clues and you have much better security already.

But above all..

DO NOT USE THE SAME PASSWORD EVERYWHERE! EVER. NO. NEVER.

Need some advice or help?

If you want more help on security, including the Heartbleed bug, why not give our team a call? We'd be happy to help you, and our Sales/Enquiries team can be reached on 01392 950 950. If you're an existing customer, contact support.

<< Back to the Blog

Follow us on:

© Copyright 1998-2016, VPW Systems (UK) Ltd | All Rights Reserved | Legal Information |
IT Services and Computer Support for Small Business from an Exeter, Devon Based IT Support and Services Company
From IT Support Services to Business Broadband, Server Systems and Cloud Email, Cloud Desktop and Web Hosting Services
Main Offices: 6-7 Southernhay West, Exeter, Devon, EX1 1JG

You're connecting to us as: 3.144.113.197 using IPv4