Is IE your browser of choice?

If so, listen up. You could be vulnerable. According to Microsoft attacks are targeting versions 9, 10, and 11, but this affects every version of Internet Explorer back to 6. (Yes 6, a small sliver of the internet still uses this. Sigh.)

What’s going on?

If you are like 26% of the web, you may be vulnerable to a recently discovered security hole in IE. Microsoft explains it best:

“The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Is there a fix? How do I stay safe?

Currently, there is NO FIX released by Microsoft. In the meantime, use another browser (ie – Chrome or Firefox) – or if you must use IE, just be very, very careful about what links you click on (especially those received via email).

The Heartbleed Bug And You

heartbleed openssl attack

What’s going on?

On Monday (April 7, 2014), Neel Mehta of Google Security & his team reported a bug, with potentially massive consequences, to the OpenSSL team. When I say massive, I mean experts predict that over 50% of all sites are or have been affected in the past and present.

Anyone use Pinterest? Yahoo? Airbnb? We recommend you listen up.

So, what is Heartbleed bug?

To boil it down, there’s a hole in the encryption process allowing hackers to access security keys & undermining a site’s security that is using a SSL certificate. They can move in, steal your important data, and leave without a trace. Most, if not all of these attacks can be done in such a way that they’ve been going on for the past 2 years & no one, not even Google, knew about them. That’s scary!

What are we doing about it?

Here at Wex Marketing, we develop all of our e-commerce sites around the latest & greatest security features & practices – including implementing at least a 256-bit SSL security certificate. Unfortunately the bug that was just announced has been “open season” for a long time (up to 2 years!). The affected versions are listed as: 1.0.1 through 1.0.1f on servers running Apache and Nginx software.

Since the announcement, we have been hard at work communicating with our host companies (who handle the SSL side of things) to make sure all our sites have been updated with the latest OpenSSL fix that came out shortly after the announcement.

What can you do about it?

As we touch up the SSL versions, we recommend you change all important passwords – including, but not limited to email, site backends, payment gateways, etc…even personal bank accounts! By now, we expect all the major institutions to have applied the fix, but just to be safe, change all important passwords!

Curious if your site (or a site you use) is vulnerable? Check it with this tool by LastPass

What to know more?

If you want to dig deeper, check out heartbleed.com or read the official announcement put out by the US-CERT (Computer Emergency Readiness Team, part of the Department of Homeland Security)