| [IMPORTANT] OpenSSL-Bug > Reset PW + Cert after Install [message #112407] |
Wed, 09 April 2014 12:46  |
Maerad
Messages: 275
Registered: August 2013
|
|
|
|
After I had a phone call just now in another case with the OpenSSL Bug, I would like to stress out one of the most important points AFTER the Fix.
THIS APPLYS NOT ONLY FOR KERIO CONNECT, BUT ALSO ANY SYSTEM THAT USES OPEN-SSL WITH THE HEARTBLEED BUG!
After the install of the new OPEN-SSL Version or program with the heartbleed bug...
1. CHANGE the SSL-Certificate! For any selfmade ones, just create a new. For an official declare the old one invalid and request a new cert.
2. FORCE a password change! And this for every one you have. As Company or Reseller, force a change for every user and/or inform the customers about it. The new passwords should be completely different from the old one. IF someone cracked the data with the bugs, he has usernames and pw in clear text. Any following attack will try the old pw in all "lazy" combinations. Like PW bla12%23 is now bla12%24
3, CHECK your other tools on the network, not only the server and clients. The OpenSSL module is used in a wide range of software, from linux pc's (SSH Login!), routers, switches, phone systems etc. to many integrated server systems like kerio, ERP etc.
Or if you have something out in the internet like a webcam. If you are unsure about them and you need access, use a vpn and no port mapping.
Can't stress those points enough ...
[Updated on: Wed, 09 April 2014 12:54] Report message to a moderator |
|
|
|
|
|
Members
Search
Help
Register
Login
Home
