Tuesday, April 15, 2014

Heartbleed - what I told my colleagues

Aside from being the computer teacher for my school, I'm also the GAFE administrator and all around tech guy designated to solve any and all problems that arise. With the recent news of the Heartbleed vulnerability I sent out the following email...




As some of you may have heard there was a fairly large discovery regarding internet security recently. A vulnerability referred to as "Heartbleed" was uncovered. This issue relates to a large majority of the internet as it was a flaw in a common security protocol allowing hackers undetected access to user data (at this time there is no indication Heartbleed was used for nefarious purposes, security experts aren't sure if anyone noticed it before the security experts). Essentially, the notion that the "https" and padlock icon you see on secure sites turned out to have an open backdoor to some services.
It is highly recommended you change your passwords immediately for the following internet services:


  • Facebook
  • IFTTT
  • Instagram
  • Pinterest
  • Tumblr
  • Google
  • Yahoo
  • Gmail
  • Amazon Web Services
  • TurboTax
  • Dropbox
  • OKCupid
  • SoundCloud
  • GoDaddy
  • Minecraft

  • You can read a specific breakdown of all the most common web services, including banking sites, and whether or not they recommend changing passwords/
    Apple does not use the affected security protocol so there is no need to change that password.
    As a PS 10 staff member you should definitely change:
    • Dropbox
    Keep in mind, there is no evidence this security flaw was exploited, every company potentially affected has patched the problem and is reviewing their systems to determine is any breach took place.The changing of passwords is highly recommended as a precautionary measure.
    Please change your @ps10.org & Dropbox passwords as soon as possible!
    Here is something I wrote as a guide to help remember passwords more easily (a perfect solution it is not, but something to get you thinking): http://thecasalos.blogspot.com/2013/08/so-many-passwords-so-little-time.html
    Here are a few highly rated apps for saving passwords securly:

    • a few other recommended options:


    For some more information here are two links that break down the issue in very simple terms:
     
    1. http://www.cultofmac.com/273993/change-passwords-15-heartbleed-vulnerable-sites-asap/#DWUWqp3CQu4JFF71.99 
    2. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
    One final note, it is a general security recommendation that you use "2 step authentication" on any/all websites that support this. This means the website will send you a text, so you need to be able to receive text messages, any time your account is accessed from an unknown location. You can turn on "2 step authentication" on most services, including your @ps10.org account under the Security settings.
    Please let me know if you have any questions.
    Thank you



    If you are a GAFE admin you can turn on, and enforce, 2-step authentication in the General Security settings. I turned it on as an option but at this point I am not forcing users to use it. 

    Why not force users to use 2-step? A few reasons:
    • we are k-5 with grades 3-5 using GAFE. They, for the most part, don't have cell phones so 2-step isn't easily possible
    • teachers a generally tech-reluctant. They are ok with using it, and we've shown them the value, but they still instinctively get wary of added steps. I'm pitching them 2-step, but don't want to force it on them just yet


    Which brings up the interesting issue of student passwords...
    ... I'm working on it...

    When I created the accounts I created generic passwords in the Excel sheet I uploaded to GAFE. I'm thinking of trying to re-upload that with a letter or number appended to the original password. Essentially resetting their passwords to one character off the original. That might be the easiest way to get 600 students reset all at once. Perfect? Hardly. But it might be the best way to do it. Bigger problem is it's Spring Break and students use their accounts over the break but I don't necessarily want to lock them out before I can inform them in person.... Again, not a perfect situation...

    So there it is. Heartbleed, and how I'm dealing with it.

    No comments:

    Post a Comment