Sorry for the off topic post, but this seems like a very widespread security threat and I'm just seeking some assurance wherever I can get it!
So, are there any known/suspected concerns with vendors we might use for Volvo parts?
Matt, others: Do we need to worry about Heartbleed?
-
matthew1
- Site Admin
- Posts: 14463
- Joined: 14 September 2002
- Year and Model: 850 T5, 1997
- Location: Denver, Colorado, US
- Has thanked: 2652 times
- Been thanked: 1240 times
- Contact:
Jim,
Not here at matthewsvolvosite.com*, but generally, yes, you should take precautions to minimize your exposure.
Any site that uses https can be susceptible to the Heartbleed flaw.
Check sites with this tool. EDIT: don't use that tool. Use this:
https://www.ssllabs.com/ssltest/analyze.html?d=eeuroparts.com
To check sites other than eEuroparts.com, remove "eeuroparts.com" from the end of the URL and add the site you'd like to test.
* MVS does not sell anything, thus has little need for a secure connection, thus I don't use SSL here
Not here at matthewsvolvosite.com*, but generally, yes, you should take precautions to minimize your exposure.
Any site that uses https can be susceptible to the Heartbleed flaw.
Check sites with this tool. EDIT: don't use that tool. Use this:
https://www.ssllabs.com/ssltest/analyze.html?d=eeuroparts.com
To check sites other than eEuroparts.com, remove "eeuroparts.com" from the end of the URL and add the site you'd like to test.
* MVS does not sell anything, thus has little need for a secure connection, thus I don't use SSL here
Last edited by matthew1 on 10 Apr 2014, 12:34, edited 2 times in total.
Reason: edited tool link, added better tool URL
Reason: edited tool link, added better tool URL
Help keep MVS on the web -> click sponsors' links here on MVS when you buy from them.
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
-
matthew1
- Site Admin
- Posts: 14463
- Joined: 14 September 2002
- Year and Model: 850 T5, 1997
- Location: Denver, Colorado, US
- Has thanked: 2652 times
- Been thanked: 1240 times
- Contact:
The #1 specific piece of advice I can give is this:
Use a unique password for your email, different than any other password you use anywhere else.
If you can do one thing, do this.
Assuming user credentials at an affected server are compromised (like they are with Heartbleed bug), two pieces of information are usually held in the same location on a server: your email address and your password (among others).
Example: You have an account at XYZ retailer. 99% of the time a retail web site account will require an email address and a password (to log in to XYZ.com). As an attacker, the first thing I would try after getting your account info would be that password on that email address.
If I can get into your email, the potential for stealing money goes way, way up. Tenfold, a hundredfold.
Summary: make your password for your email different than any other password you use anywhere else.
Use a unique password for your email, different than any other password you use anywhere else.
If you can do one thing, do this.
Assuming user credentials at an affected server are compromised (like they are with Heartbleed bug), two pieces of information are usually held in the same location on a server: your email address and your password (among others).
Example: You have an account at XYZ retailer. 99% of the time a retail web site account will require an email address and a password (to log in to XYZ.com). As an attacker, the first thing I would try after getting your account info would be that password on that email address.
If I can get into your email, the potential for stealing money goes way, way up. Tenfold, a hundredfold.
Summary: make your password for your email different than any other password you use anywhere else.
Help keep MVS on the web -> click sponsors' links here on MVS when you buy from them.
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
-
matthew1
- Site Admin
- Posts: 14463
- Joined: 14 September 2002
- Year and Model: 850 T5, 1997
- Location: Denver, Colorado, US
- Has thanked: 2652 times
- Been thanked: 1240 times
- Contact:
Here's a list of the Web's most popular sites, and what to do if you have an account on one:
http://mashable.com/2014/04/09/heartble ... -affected/
http://mashable.com/2014/04/09/heartble ... -affected/
Help keep MVS on the web -> click sponsors' links here on MVS when you buy from them.
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
-
eEuroparts
- Posts: 14
- Joined: 16 July 2012
- Year and Model: ALL
- Location: Windsor, CT
- Been thanked: 1 time
Hi All,
Thanks for your interest in all of this. Please use this site to test for SSL vulnerabilities:
https://www.ssllabs.com/ssltest/analyze ... oparts.com
The site referenced earlier isn't thorough enough and doesn't take a deep enough dive into publicly available protocols active on a server.
Additionally, OpenSSL vulnerabilities are scanned by TrustWave and we just re-scanned this morning so that can be seen here:
https://sealserver.trustwave.com/cert.p ... yle=invert
The reason that this "threat" is so widespread is because this is the standard FREE SSL protocol that is deployed with MOST UNIX/LINUX servers. So anybody that is using a UNIX machine or basically a "cheap" hosting platform from one of the major providers COULD be affected. Most people who run higher traffic web sites are not using these free protocols and even if they are are not the protocols actually in use doing the decryption. They're just not disabled because nobody ever bothered.
Here's the good news. Most of the major eCommerce platforms (including eEuroparts.com and I think all of your other sponsors of this site) are scanned routinely by companies that know what they're doing for PCI compliance reasons. This forces us to stay on top of any of these potential threats. This is just the most recent of 4 - 6 issues that have been a "possibility" in the last year alone. I would take this one slightly more seriously if you use the same password at every single site.
Also if you run a Windows Stack or a Sun (Java) Stack you're not affected unless for some reason you have Apache installed. Notice sites like Amazon, Paypal, eBay (Sun Stack), or Microsoft / Hotmail / Bing etc Windows Stack sites are crossed off the list.
Also "unknown" like facebook is also a good thing. It means that have the ability to read external protocols blocked, which is actually what you want. Makes it tougher for hackers because they have to "guess" what you're running.
The best defense to anything is having as many passwords as possible. I know it's annoying but it's probably the most true statement available.
Thanks for your interest in all of this. Please use this site to test for SSL vulnerabilities:
https://www.ssllabs.com/ssltest/analyze ... oparts.com
The site referenced earlier isn't thorough enough and doesn't take a deep enough dive into publicly available protocols active on a server.
Additionally, OpenSSL vulnerabilities are scanned by TrustWave and we just re-scanned this morning so that can be seen here:
https://sealserver.trustwave.com/cert.p ... yle=invert
The reason that this "threat" is so widespread is because this is the standard FREE SSL protocol that is deployed with MOST UNIX/LINUX servers. So anybody that is using a UNIX machine or basically a "cheap" hosting platform from one of the major providers COULD be affected. Most people who run higher traffic web sites are not using these free protocols and even if they are are not the protocols actually in use doing the decryption. They're just not disabled because nobody ever bothered.
Here's the good news. Most of the major eCommerce platforms (including eEuroparts.com and I think all of your other sponsors of this site) are scanned routinely by companies that know what they're doing for PCI compliance reasons. This forces us to stay on top of any of these potential threats. This is just the most recent of 4 - 6 issues that have been a "possibility" in the last year alone. I would take this one slightly more seriously if you use the same password at every single site.
Also if you run a Windows Stack or a Sun (Java) Stack you're not affected unless for some reason you have Apache installed. Notice sites like Amazon, Paypal, eBay (Sun Stack), or Microsoft / Hotmail / Bing etc Windows Stack sites are crossed off the list.
Also "unknown" like facebook is also a good thing. It means that have the ability to read external protocols blocked, which is actually what you want. Makes it tougher for hackers because they have to "guess" what you're running.
The best defense to anything is having as many passwords as possible. I know it's annoying but it's probably the most true statement available.
-
matthew1
- Site Admin
- Posts: 14463
- Joined: 14 September 2002
- Year and Model: 850 T5, 1997
- Location: Denver, Colorado, US
- Has thanked: 2652 times
- Been thanked: 1240 times
- Contact:
^ Thanks, Matt.
Quick summary:
I've contacted MVS sponsors: all are patched and protected, or else don't use the affected software (OpenSSL).
iPD
eEuroparts
FCP
Volvo Salvage
Southern Vo Vo
... all MVS sponsors are protected from Heartbleed.
The only exception would be sponsors' eBay Stores, for those sponsors who have them. I can't find definitive word on eBay's status with Heartbleed, but I'll update this thread as soon as I'm aware of it.
Quick summary:
I've contacted MVS sponsors: all are patched and protected, or else don't use the affected software (OpenSSL).
iPD
eEuroparts
FCP
Volvo Salvage
Southern Vo Vo
... all MVS sponsors are protected from Heartbleed.
The only exception would be sponsors' eBay Stores, for those sponsors who have them. I can't find definitive word on eBay's status with Heartbleed, but I'll update this thread as soon as I'm aware of it.
Help keep MVS on the web -> click sponsors' links here on MVS when you buy from them.
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
Also -> Amazon link. Click that when you go to buy something on Amazon and MVS gets a cut!
1998 V70, no dash lights on
1997 850 T5 [gone] w/ MSD ignition coil, Hallman manual boost controller, injectors, R bumper, OMP strut brace
2004 V70 R [gone]
How to Thank someone for their post
-
eEuroparts
- Posts: 14
- Joined: 16 July 2012
- Year and Model: ALL
- Location: Windsor, CT
- Been thanked: 1 time
Ebay runs a Sun stack (java) 99% sure they wouldn't be effected.
-
- Similar Topics
- Replies
- Views
- Last post