" heartbleed Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘heartbleed’

Can S/MIME be trusted when SSL has had so many security issues?

Thursday, March 26th, 2015

SSL and TLS have had a lot of security issues over the past 1-2 years.  While these have been patched quickly, they have been very bad and have changed our view of and trust of the Internet.  S/MIME is really just aspects of SSL/TLS applied to secure email messages (we looked at this previously).  So …. can S/MIME be trusted?  Does it suffer from the same vulnerabilities as SSL?  Is S/MIME a good thing to use for secure email or should it be avoided with a 10-foot pole?

As we shall see, S/MIME is impervious to the majority the issues with SSL due to the fact that there is no real-time negotiation of cryptographic algorithms and there can be no man-in-the-middle.

Lets see…

Read the rest of this post »

HIPAA and Heartbleed … Are you automatically in breach?

Tuesday, April 15th, 2014

Under the HIPAA Privacy Rule, a breach is defined as:

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.

Based on this definition, merely having been vulnerable to a security exploit (e.g. Heartbleed) does not constitute a beach and does not trigger breach notification law.

So — just because you used a system that was vulnerable to Heartbleed, does not mean that a breach occurred or that any type of reporting is needed.  Imagine if it did … practically everyone would have to report and that would overwhelm Health and Human Services!

Read the rest of this post »

HeartBleed Attack on OpenSSL and LuxSci: What you should know.

Tuesday, April 8th, 2014

If you don’t know yet, an incredibly serious security issue in software used by roughly 66% of all web sites on the Internet was discovered over the last few days.  This issue, which has been in existence since 2011, is one of the most serious issues facing the Internet in a long time.  Companies all over the world are scrambling to update their systems to protect themselves against Heartbleed attacks.

You can read about this issue here: The Heartbleed Bug

The take away is that this is not a weakness with SSL or TLS; but a bug in certain versions of the “openssl” open source SSL library used by very many sites.  If exploited, the attacker can get your secure web sites SSL private keys … thus allowing them to spoof your site and perform “man in the middle” attacks without any SSL errors or warnings.  This is really not good.

The homework for end users is to change passwords and to replace SSL certificates that they may have purchased themselves for secure email or web services.

Heartbleed and LuxSci

LuxSci’s servers have been fully updated so that they are no longer vulnerable to the Heartbleed attack.  We have also re-issued and re-installed our luxsci.com-related certificates and revoked the old ones.

Read the rest of this post »