Tag Archives: privacy laws

Protect yourself against Heartbleed bug

What we think,

The Heartbleed bug has already been heralded as one of the biggest security threats on the Internet. It exploits an encryption flaw in Open SSL – used by many hugely popular sites such as Gmail, Facebook etc.

What is the Heartbleed bug?

Heartbleed is a vulnerability discovered in a specific SSL implementation (OpenSSL) that allows an attacker to steal private data from the vulnerable server’s memory. It is not a vulnerability within the design of SSL.

Digital Rehab recommends that you change ALL your passwords immediately for these sites.

Heartbleed bug - change all passwords

Your password information could have been exposed along with some of your sensitive account information.

Some Internet companies have rapidly moved to patch and fix their security while most have not yet.

Although changing your password regularly is always good practice, if a site or service hasn’t yet patched the problem, your information will still be vulnerable.

Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you’ll need to change the password everywhere. It’s not a good idea to use the same password across multiple sites, anyway.

To view an updated listing of what has been impacted by Heathbleed – please see Mashable’s table

LATEST UPDATE 17th APRIL 2014:

There has been a lot of press coverage over the last week about Heartbleed. As the vulnerable library, OpenSSL, is predominantly used in Linux and open source environments, there hasn’t been as much attention applied to those of us with Microsoft-centric investments.

Should you be running a Microsoft environment, here are some helpful tips:

  • Microsoft software, like IIS, uses an SSL implementation called SChannel (“Secure Channel”), which does not exhibit the vulnerability. This does not mean that your organisation is unaffected though.
  • The most common scenario to see OpenSSL in an otherwise Microsoft web stack is edge servers. That is, performing SSL termination at load balancers and cache servers. These are often deployed as hardware appliances, external site acceleration services, orcontent delivery networks. In many scenarios, I find that application teams are unaware of these extra infrastructure layers, and thus may erroneously declare their application as unaffected on an initial pass.
  • Another scenario is embedded devices, and these are a usually harder to patch.
  • Unfortunately, due to the nature of the potential attack, you will not find any record of an attack in your logs.
  • If an affected version of OpenSSL is present anywhere in your data flow, you will need to at least patch and rotate SSL keys. You’ll also need to consider any secrets that have been present on the vulnerable node, such as user submitted data and passwords. This applies even if there are further layers of SSL behind the affected device (eg, terminate-and-forward scenarios that forward to SSL-based endpoints). Remember that if you are reusing a certificate across multiple services, such as a wildcard certificate, you will need to revoke and rotate all usages, not just the vulnerable nodes.

New Privacy Laws start today

What we think

The privacy reforms today introduced aim to create greater transparency for business and government to disclose to consumers about personal information is maintained, handled and also how it is used.

Todays changes to the Privacy Act 1988 have been heralded as the most significant in more than 25 years and grant greater power to both average Australians and the Privacy Commissioner.

The Australian Government introduced the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).

The Act introduces the APPs a set of mandatory privacy principles which replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988 (Cth).

From a marketing standpoint, the changes represent a tightly defined mandate from which we can operate from. This is demonstrated in APP 7.1 which states: “If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.” There are however a number of exceptions to this rule, outlined further on in APP 7 – Direct Marketing.

Such exceptions include that there must be some sort of functioning opt out mechanism for all direct marketing communication in line with their technical platform, whether that be an unsubscribe button on email, information about cookies and where not to accept or sending STOP on a txt message.

The use of personal information, what is considered personal information and how you obtain it was one of the key points from the new laws.

Another key aspect to the laws is the inclusion of a “collection statement” of solicited personal information, which marketers should perhaps consider having a tick box for the consumer to agree regarding the use of their personal information to ensure consent.

“The data collection statement is, both a blessing and a possible nightmare for fellow marketers who preside over a database. If well managed, there is a lot that can be leveraged but, get if poorly managed, there is every chance you might run into problems.”

Rule of Thumb is this: if you collect personal information you must take reasonable steps to notify the individuals of how you intend to manage and use data certain matters at or before the time of collection.

The new laws apply to all organisations that collect personal information with a minimum annual turnover of $3 million.

Additional information can be found in the Act.

Written by Alisdair Blackman

Alisdair Blackman is Digital Rehab’s Owner & Principal Consultant and has owned, run and grown 4 successful digital agencies since 1996 and is an online marketing specialist.