Anytime Bruce Schneier’s name is mentioned in a security news article, I’ve learned to pay attention. And that is because he is serious about security and has developed an enviable reputation by being committed to understanding exploits and assisting security folks worldwide to isolate and eliminate them.
Now its time to listen, people.
“But, before you panic, it is worth remembering that, at this point, we don’t know how close we are to the worst-case scenario. It is possible, though improbable, that the security researchers who exposed this flaw were, in fact, the first people to find it, which would mean that it has only been known about, and exploited, for a few days. (It was found, independently, by a team of security researchers at Codenomicon and Neel Mehta, of Google Security.) At the same time the bug was announced, a new, secure version of OpenSSL was released, and updating most of the affected servers is a straightforward task. Major services like Google and Yahoo have already patched the vulnerability. Engineers did not need to stay up all night in a mad scramble to make repairs, but, as one system administrator told me, the nature of the bug made this something more than a routine update. “It’s an update, a configuration change, and a notification to your users that there’s no way to know if their data was stolen or not,” he said. To be safe, identity certificates for servers and users must be revoked and then reissued. The fix, in other words, is both urgent and tedious, which is the worst kind of job for a programmer or system administrator.”
For now its time to CHANGE YOUR PASSWORDS!
Thanks to the New Yorker