HeartBleed vulnerability – how we’re securing F-Secure products and services
This has been a week the security industry will never forget.
You’ve probably heard about HeartBleed -- a critical security vulnerability in the OpenSSL library that has affected nearly every company dealing with security software on earth, including us. But thankfully, with our security teams working round the clock, we’ve been able to prevent any negative consequences from this issue thus far.
The vulnerability could allow an attacker to read exactly the kind of information we work hardest to protect -- web server private keys and user passwords. Codenomicon put together http://heartbleed.com/ to explain just how widespread this issue really is.
Here’s what we’ve done to secure F-Secure’s products and services, and how you can take additional steps to make sure your personal data is secure.
As soon as this two-year old issue was revealed on Monday, April 7th, we started working to patch all of our affected systems. According to our current knowledge, we have had no leaks of data as of Friday, April 11th. However, some of our consumer products and platforms have been assessed at “Risk Level: Critical” and all of these have been patched since the news broke.
The affected consumer products that have been patched against the vulnerability and don’t require any action from your side are:
- Safe Profile
- F-Secure Search
- F-Secure Key
- F-Secure Freedome
- F-Secure Lokki
The affected consumer products that have been patched against the vulnerability, but require an action from your side are:
- F-Secure SAFE
Since F-Secure SAFE portal requires a web log-in (MySafe), we suggest you change your passwords as we suggest to do with any other online services. You can log-in to SAFE portal at https://mysafe.f-secure.com/login and change your password using the tab “Account details."
Additionally, the platform that hosts our Community pages - Lithium - was also affected, but the vulnerability was quickly resolved. Highly security-sensitive customers may consider changing their Community password(s), but this should not be necessary.
Consumer products not affected are:
- F-Secure Mobile Security
- F-Secure Internet Security
- F-Secure Online Backup
- F-Secure Anti-Virus
- F-Secure Anti-Virus for Mac
These products have been found unaffected by the vulnerability. However, since the purchase of these products involves an account created by our third-party e-store provider (Asknet), we suggest changing your password if you have logged in to this account after November 2013. You can log in at https://shop.f-secure.com/cgi-bin/shop/ml=EN?mode=info to reset your password.
(Users and administrators of some of our corporate products will have to take actions. Details and updated information can be found on this page where we keep everyone up to date: http://www.f-secure.com/en/web/labs_global/fsc-2014-1)
HOWEVER, if you have been using the same password for different services, you should update these now – whether they are for F-Secure services or not. Using unique passwords for all of your most important accounts is crucial – before and after HeartBleed. If you are sick of remembering dozens of unique, strong passwords, you can use a simple password manager such as F-Secure Key.
“What?” you may be thinking. “You recommend Key which was impacted by HeartBleed?” Yes, we do. Even though F-Secure Key servers were affected by the HeartBleed vulnerability, all data stored in Key was and is safe. User data can only be accessed on a user’s device – not through the web. And that’s also why our Key users do not have to change their master password.
Want to know more about HeartBleed and how it affects you? Check this out: http://safeandsavvy.f-secure.com/2014/04/09/youre-going-to-need-to-change-your-passwords-twice-and-heres-the-easiest-way-to-do-it/#.U0f9phDJU88