• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

Heart Bleed Bug

Is Norton Identity Safe affected by Heart Bleed bug?  Has there been any statement from Symantec?

Replies

Kudos1

Re: Heart Bleed Bug

Kudos0

Re: Heart Bleed Bug

hello again Yank - but are the Symantec main site and this community forum Open-SSL sites? Do we need to change our passwords?

Laptop: Win7 / IE11
Kudos0

Re: Heart Bleed Bug

I had a chat session with Symantec.  It was repeatedly said to me is that only Web sites are affected by Heart Bleed bug but that the login information/password I use to access the servers housing my  Identity Safe information was/is not affected.

I am no expert in this area but was not reassured by the chat discussion.  Does the point about affecting only Web sites make sense to those of you who understand Open SSL and the capabilities of the Heart Bleed bug?

Thanks.

PS:  I hope the forum administrator will respond or, better yet, Symantec will issue a clear statement for us non-experts, about whether there is/was a potential leakage of the password used to access the Identity Safe servers through the login box for Idenity Safe. Yes or no!  

Symantec/Norton removed the option to store my Identity safe passwords on my personal computer and has now left me wondering whether my information is safe in its cloud servers.   

Kudos0

Re: Heart Bleed Bug

@Tony_Weiss  @Tim_Lopez  @Mohan_G  

Any comment in simple, easy to understand terminology for us less tech savy users would certainly be appreciated.

To change all, some or none of our passwords? 
How safe is ID safe Data - etc everyone (including me) seems confused and wondering.

Kudos0

Re: Heart Bleed Bug

LastPass has actively assesed the user sites for their registered passwords listing in a spreadsheet form the name of the site, the age of the password, whether the site certificate has been updated and the recommended action for the Heartbleed issue.

Why doesn't Norton Identity Safe do the same for its users?

Kudos1

Re: Heart Bleed Bug

AMEN!...And Last Pass has offered a description of how one's primary password (into Last Pass) is encrypted on your local machine and, according to Last Pass, should not be affected by Heart Bleed.

Too bad that a huge company such as Symantec, can't do the same.  Or is it that it really can't offer the same assurance?

Kudos0

Re: Heart Bleed Bug

Symantec has published a heart bleed vulnerability update site, with a link to matrix of products.

http://www.symantec.com/outbreak/?id=heartbleed

Kudos0

Re: Heart Bleed Bug

Interesting that there is no information about Identity Safe, NIS, NAV or Norton 360

Windows 7 Home Premium x64 SP1 *** Norton 360 v21.6.0.32
Kudos1

Re: Heart Bleed Bug


Krusty13 wrote:

Interesting that there is no information about Identity Safe, NIS, NAV or Norton 360


Hmm...  Interesting that there's a double entry for Identity Safe...  Is that a mistake?  And vexing too that Identity Safe would even be listed as susceptible. Especially considering the statements made by Norton nearly two years ago in the Norton Protection Blog; specifically the blog located here:

http://community.norton.com/t5/Norton-Protection-Blog/What-are-the-changes-to-the-Norton-Toolbar/ba-p/808740

 

which contains (among other claims,) the following set of statements:

"...  The Online Vault is Secure.

 

- Norton uses 256bit AES encryption to encrypt the data. This is a leading industry standard for encryption.

- Using a very “strong” password is mandatory when creating an online vault – not just encouraged.

- On the server side, Norton has security zones and firewalls between each zone to make sure only intended traffic is allowed access.

- Encrypted vaults on PC, Mac, and Mobile clients are only ever decrypted on your local computer, never at Norton facilities, so no Symantec employee ever has access to any vault data.

- Vault contents are encrypted both in transit as well as at Norton data centers to ensure that no one can access a user’s data via a “man-in-the-middle” attack.  ..."

Which (to me) virtually guarantees that the vault data remains hard-encrypted at all times while it is located anywhere other than on the user's local computer or device.

So why is there a concern being flagged - and twice at that?

Kind regards,

John

Kudos0

Re: Heart Bleed Bug

my understanding is that the Vault (Norton Identity Safe) is protection for detection of keystrokes.

Wouldnt that mean that all the sites set up within the Vault are still vulnerable since Heartbleed isn't a keystroke detection issue, its a site access/security vulnerability issue.

The sites, although housed in the Vault, still exist as a URL and those URL's are still being accessed... just by other means/a different way. 

No? 

'course, it'd be moot if NIS/Vault is compromised itself per the results yielded by Krusty13?

PITA!!! 

Kudos0

Re: Heart Bleed Bug

As long as the vulnerable version of OpenSSL is patched at each site, those sites would no longer be putting your password at risk.  Most sites have the patch in place at this point.

Kudos0

Re: Heart Bleed Bug

I am still confused. If I used Identity Safe the majority of the time to log in to web sites in the past "heartbleed" period, do I need to change ANY passwords? Also I used the "Local Vault" option so the passwords and logins were not stored in the cloud - if that makes any difference.

I also agree with one of the other contributors that it would be more than appropriate for Norton to put out a very clear simplified statement to ALL REGISTERED USERS via email (not just on Community Forums) as to exactly what we have to do regarding this "heartbleed bug". Many Norton users have never visited the Forums and wouldn't have any idea on how to even try to get to the Forums. They just turn their PC on and expect it to work. They are lucky if they can even install a program such as Norton, much less contact/contribute to the forums.

Kudos0

Re: Heart Bleed Bug

Hi Carol_in_Fl,

Heartbleed allowed passwords to be stolen from server memory at the website - it has nothing to do with where you store your passwords or whether you use a password manager to log on.  If you accessed a vulnerable site using a password, that password was potentially at risk.  I say potentially, because it isn't known if there were any exploits of this bug prior to it being publicized in the last couple of weeks.  The hole existed for two years, but it is possible that nobody knew about it.  So, for safety sake, we assume the worst, and the prudent thing to do is to check the websites that you use, and if they were at risk, you should change your password.

Also, Norton did send out an email. 

http://community.norton.com/t5/Norton-Internet-Security-Norton/E-mail-from-Norton-about-Heartbleed-legitimate/m-p/1123310/highlight/true#M257333

Replies are locked for this thread.