Security Experts Advice Nigerians on “Heartbleed” Bug
Security experts have advised Nigerians to change passwords for sites affected by the Heartbleed bug, to prevent attackers from retrieving sensitive information from the websites, services and devices.
This is coming days after the initial worldwide panic over the discovery of a serious vulnerability in the popular OpenSSL cryptographic software library.
This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Oruks IT Solutions, A Nigerian based IT firm advised all internet user in Nigeria to have a more sophisticated Passwords on all internet enabled devices in including hand held and mobile devices commonly used in Africa’s largest economy.
News of the Heartbleed bug emerged on Monday when Google Security and Codenomicon - a Finnish security company - revealed that a flaw had existed in OpenSSL for more than two years.
This had made it possible to impersonate services and users, and potentially eavesdrop on data communications.
To mitigate the heartbleed vulnerability, Cyberoam has released IPS Signature Versions 3.11.61 and 5.11.61 containing an IPS signature named “OpenSSL TLS DTLS Heartbeat Information Disclosure”.
By default, once the IPS policy with signature “OpenSSL TLS DTLS Heartbeat Information Disclosure” is applied through Firewall, all the SSL connections attempting to exploit the said vulnerability will be dropped.
“We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.
“After upgrading or taking steps to mitigate this vulnerability, Cyberoam also recommends all the customers to apply the fix provided by the OpenSSL team in their applications such as Web services etc. which use the comprised versions of OpenSSL.
“Cyberoam recommends to disable all the non mission-critical SSL services and applications running on the compromised OpenSSL versions,” the email read.