On Monday news came out regarding the discovery of a significant and widespread security problem; the HeartbleedOpenSSL Bug. This encryption security hole causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet to secure private information as it travels over the web. This email is our effort to explain how this bug may impact you and note some of the actions that can be taken to protect yourselves as this issue is being addressed.
Please note the Security First Advisors website is not vulnerable because we do not store any client data within our site and email exchanges between our staff and our clients are not vulnerable because this is a bug that affects websites not email. Additionally, the Sharefile website we used to share tax documents with clients and their CPA’s is also not at risk: See below for further details:
|Vulnerable:||No (does not use OpenSSL)|
|SSL Certificate:||Safe (regenerated 2 years ago)|
|Assessment:||This server was not vulnerable, no need to change your password unless you have used it on any other site!|
To help answer questions you may have about this new internet security issue, we’ve collected some basic information and a tool you may find useful.
Any website where you use passwords, transact business, or maintain assets should be checked. Websites may be checked to see if they are potentially vulnerable, and if they have updated their SSL certificate in the last 48 hours. It might be prudent to stay off vulnerable sites containing secure information, or those transmitting credit card data. Once they have updated certificates, login and change your passwords. Some example sites that may be vulnerable are: Banking, Investment firms, Facebook, Amazon, Ebay, Travel, etc.
The LastPass tool allows you to check websites for potential vulnerability and SSL certificate updates: https://lastpass.com/heartbleed/
Even after websites correct the problem, We strongly recommend you change your passwords to reduce your security risk. For example, everyone with a Yahoo account, a WellsFargo account, or an OkCupid account can change their passwords now, because these sites were vulnerable, but have just now updated their certificate, which indicates they have taken steps to address the Heartbleed issue.