On Tue, Apr 08, 2014 at 06:21:58PM +0000, Andy Smith wrote:
If you've been reading tech news in the last 24
hours then you're
probably aware of "heartbleed", but if not then you will want to
have a read of:
http://heartbleed.com/
and take appropriate action.
Some information about the possible exposure of your BitFolk
credentials to this bug:
-
https://tools.bitfolk.com/… (wiki, feature tracker, cacti)
Hosts terminating these SSL sessions were upgraded to Debian
wheezy on September 22nd 2013 so there was therefore a window
between then and Tuesday 8th April 2014 during which the
vulnerable versions of OpenSSL were being run.
An attacker with knowledge of the bug could conceivably have
abused it to read server memory, which could possibly have
contained your BitFolk credentials.
The likelihood of someone who was already aware of this bug using
it to steal credentials of BitFolk customers from our wiki /
tracker / cacti sites inside the 6.5 month window seem very low,
but if you think you have logged in to any of those sites since
last September then you may wish to change your passwords as a
precaution.
You can change your password via:
https://panel.bitfolk.com/account/security/
The SSL cert has since been replaced.
-
https://bitfolk.com/
https://panel.bitfolk.com/
https://nagios.bitfolk.com/nagios/
These sites have never run vulnerable versions of the OpenSSL libraries.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce