Slot Car Corner Website NOT affected by Heartbleed Vulnerabi

[Jesla]

My bad....I never meant to suggest that your site had been compromised.
What I'm trying to warn about is all the servers between that have been.
While I am sure you have made your site safer it still doesn't mean it's safe
to pay electronically. And you really can't guaranty that all the other servers
that are required for the transaction(including all the hops) are safe.

[SlotCarCorner]

You're right - from an academic standpoint, there is no such thing as 100% certainty with anything related to computer security. The old adage, "You don't know what you don't know." certainly applies to computer security - Heartbleed is just one example. At any given point in time, there are similar threats - new virus and security holes are introduced every day. I'm not downplaying Heartbleed; however, I think the media has blown it way out of proportion. Do a Google search on "Heartbleed" and you will see literally thousands of hits. At least 99% of them are journalists and self-proclaimed know-it-all's who are suddenly computer security experts. Many have no clue what they are talking about - just cutting/pasting information about Heartbleed they found somewhere else and perhaps embellishing it a bit. Why - what is their motive for doing this? Simple put - they want to drive traffic to their website (many generate advertising revenue this way) and the more sensational they can make something appear, the more traffic ($$$).

If things are as bad as you describe, the only rational solution would be to shut down the internet until somebody comes up with a solution for 100% of the servers connected. This simply is not practical and as fast as you "fix" one problem, there are 10 new ones to take its place. As new threats are identified, companies take steps to mitigate or eliminate them. In many instances, they can do so proactively but in cases like Heartbleed, they have to "react". As Ember stated previously, you need to take reasonable precautions and live your life. Are there still servers out there that are vulnerable? Sure there are. Will some of those servers be exploited. Probably - and rest assured the media will jump all over it when/if it happens.

Now suppose there were only 2 servers on the entire internet. One is running a version of OpenSSL that is vulnerable to Heartbleed and the other is not. Now suppose you're a hacker and you want to take advantage of Heartbleed. You can very quickly determine if a given server is running a version of OpenSSL that is vulnerable. Which server are you going to hack? Most would-be hackers are going to follow the path of least resistance. Now if the Chinese government wanted to hack the second server, could they? Sure - but they wouldn't use Heartbleed to do so.

Slot Car Corner, like many other businesses (Google, Yahoo, Paypal, Facebook, etc. etc.) has taken the time to due some diligence, ensure the proper controls are in place, and reassure our Customers that we are open for business. And for the record, we're not losing sleep over the Chinese government hacking Slot Car Corner. Given the steps taken to address Heartbleed (and the attention from all the media wannabe security experts...), I am FAR more concerned about other threats I am not aware of.

Peace...

[ElSecundo]

Actually, the media was very late to the party on this one, and don't understand enough about it to even guess at how bad it really is. If anything, they've missed the significance of it. I'm not a 'Chicken Little' kind of guy, and I don't tend to post warnings. The security community knows that this is a bad one. It's not a virus, it's an exploit, and it's child's play to find every unprotected server/web device out there and exploit it to intercept supposedly encrypted traffic, and break the encryption.

That said, there is only so much that any one business can do. It takes a solid response from all businesses to shut this exploit down, and SlotCarCorner has done its part. SCC has protected its corner of the internet as much as can be expected from anyone. That said, there are 11 devices between here and the SCC website. Some say that only the endpoints need to be protected, some say otherwise. If I were a hacker, I believe I could retrieve all the necessary bits of information from the intermediate hops.

That siad, there are lots of ways to do business, and not all of them require the internet. :)

[SlotCarCorner]

It might be worthwhile to review how a typical network connection takes place - let's say between your home PC and the Slot Car Corner website. The intermediate devices between your PC and the Slot Car Corner server are NOT servers - they are network devices (e.g. routers, switches, load balancers). Network devices are very specialized and they are locked down very tight (network providers are exposed to tremendous liability if they were not - as such, they are very, very pro-active looking for any type of intrusion). Network devices are not vulnerable to Heartbleed. If a hacker hacks the network infrastructure "between" the Client (your PC) and the destination server, they are exploiting other vulnerabilities besides Heartbleed.

[ElSecundo]

It really doesn't have to be a traditional server to be vulnerable. My firewall exists between here and SCC, but it is vulnerable. Wireless controllers, if web-facing, can be vulnerable. Our firewall is certainly locked down tight, but it still has its own proprietary OS, and it also uses SSL.

Cisco reported that 16 models of its routers, switches, and IP phones are susceptible to Heart Bleed, and Juniper has also fessed up. This means that very significant parts of the internet infrastructure are susceptible to the bug, unfortunately.