Greetings SWAMP User,
On April 7th, 2014 a critical bug (“Heartbleed”) in the widely used OpenSSL security software was announced. This impacts about half of the Internet’s secure web servers, including the SWAMP. While the time between the announcement and the SWAMP patching its infrastructure was short, and we have no indication that anyone’s password was compromised, it is still theoretically possible. As such we are strongly advising all SWAMP users to change their passwords. You can change your password by logging into the SWAMP at https://www.mir-swamp.org (*) and then selecting “My Account”, “Edit Profile” and “Change Password” (*) Ideally you should have the SWAMP bookmarked so you don’t have to click on a link in email, which could be a phishing attempt.
Please choose a unique password for the SWAMP that is not used on other sites. You will find that using a secure password manager such as LastPass, Keepass or 1Password will aid in choosing a unique and strong password for each website you use.
== What We Have Done ==
The SWAMP team has reviewed this bug thoroughly and properly patched our web servers with the fixed version of OpenSSL. We have also regenerated our SSL certificate as a precaution in the case that the old one was compromised. For details, please see:
Other questions you may have
Can you tell me more about this vulnerability?
Please see http://heartbleed.com/
Can the SWAMP be used to find vulnerabilities like Heartbleed?
The SWAMP team will have a blog post on this shortly with more information.
Was there any evidence that data in the SWAMP had been compromised or that my password was seen?
No. However, since prior to the identification of the bug on April 7th, it is possible it may have been used without leaving evidence, we are being cautious and strongly advising all SWAMP users to change their passwords.
What if I didn’t log on to the SWAMP website during the exploitation window?
If you have logged into the SWAMP at any time, there is the possibility that your password was still in memory during the exploitation window, thus we feel that everyone should change their password. Also, since the vulnerability existed for about 2 years prior to its discovery, it is possible that unknown parties have have been using it.
Would the strength of my password matter?
The strength of your password is an important part of keeping your account secure from attackers, however in this case, the password would have been viewable in clear text directly and the strength would not matter.
I already use a secure password manager, would that help?
No, a secure password manager like LastPass helps you to manage your many passwords on your computer, but it does nothing to protect your password on a server.
Would two factor authentication improve security?
Two factor authentication would indeed help protect accounts by requiring more than just the knowledge of the plain text password.
Are my SSH keys compromised?
No. Although SSH uses OpenSSL libraries to generate keys, this bug only affects the SSL/TLS protocol, which SSH does not use for authentication or transmission of data.
If you have any other questions, please feel free to contact SWAMP staff at firstname.lastname@example.org
Thank you for your time,
SWAMP Security Team