Child Item

Site Totals

61255 Questions Answered 267 Categories

Is the Verizon Wireless website safe from the Heartbleed bug?

According to a reliable source, verizonwireless.com is potentially at risk from the heartbleed bug. Where is the statement from Verizon regarding their web services?

Site:	verizonwireless.com
Server software:	VZW
Was vulnerable:	Possibly (might use OpenSSL, but we can't tell)
SSL Certificate:	Possibly Unsafe (created 2 years ago at Jun 12 00:00:00 2012 GMT)
Assessment:	It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

Site:	www.verizon.com
Server software:	Oracle-iPlanet-Web-Server/7.0
Was vulnerable:	Possibly (might use OpenSSL, but we can't tell)
SSL Certificate:	Possibly Unsafe (created 9 months ago at Jul 22 13:38:06 2013 GMT)
Assessment:	It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

Come on Verizon - put this prominently on your home page!

Comments

heartbleed

How is this still not answered? Anywhere?

I hate it when people try to gin up importance in their posts with something like "I'll never buy from Verizon again", but this is literally stopping me from buying multiple phones (and also stopping me from logging in to view my bill, account usage, etc).

Its just completely unacceptable to not put something somewhere(front page? forums? FAQ? >anywhere) indicating if the site was vulnerable and whether or not its been patched. The only vague indicator we have is the age of the SSL certificate, which is several months old, so that's bad at the least. And on top of that we have to log in to interact with support in any way?

c'mon VZ... A little effort please.

unknown

Verizon Wireless is aware of the OpenSSL security vulnerability referred to as ‘Heartbleed.’ The long period of industry-wide exposure to the Heartbleed problem is unusual, but in our review to date of Verizon Wireless’ external websites, we have found no evidence of any compromise. Our investigation is ongoing, and we continue to work with our vendors as they complete their own assessments. We will respond to the results accordingly. As always, we advise our customers to follow good online security practices, including choosing unique passwords and changing them periodically.

We are also working with our device manufacturers to test and deploy patches to any affected wireless devices on our network running Android 4.1.1. Our device manufacturers have confirmed that other wireless device operating systems are not affected. We encourage our customers to check for and accept system updates on their wireless devices. Customers who have rooted their wireless device or installed modified software should reset the device to factory settings and then check for and accept system updates. Customers can visit our website for information about the latest software updates. (http://www.verizonwireless.com/support/information/software_updates.html?lid=sayt&sayt=software%20update*)

Customers who have downloaded applications from third parties should contact the application provider for security information.

heartbleed

That's progress, but not very reassuring.

#1 - the vulnerability hit major news outlets 2 weeks ago. That's 2 weeks worth of hackers hitting any site with a large number of users and personal (especially financial) information (which Verizon certainly qualifies for).

#2 - the vulnerability will leave no "evidence of any compromise". If a hacker attacks the site, and gains access to personal information, there is no way for Verizon to know.

#3 - the vulnerability can not be detected, but it can be patched. Easily. I work for a company that provides an online service, and it took us about 4 hours to patch 20 public facing servers and request new SSL certificates. We have 2 admins. Verizon certainly should have more. Both of these steps are critical, and just not that difficult.

#4 - "to follow good online security practices, including choosing unique passwords and changing them periodically" - This is actually TERRIBLE advice in the face of heartbleed. If a user has not logged in for months, and their data is not currently compromised, and Verizon is vulnerable - then logging in to change a password could in fact subject their information to attack when it is otherwise safe.

To repeat - the ONLY path to acceptable solution here is:

1 - Verizon needs to verify if they use OpenSSL on any server systems. Note that other than IIS (Microsoft) servers, this is estimated by some to affect 80% of public servers.

2 - If they do use OpenSSL, do they use one of the affected versions. This is likely, as it affects every version released for the past few years.

3 - If one of the affected versions was used, there is no way to detect if a breach occurred. Encouraging people to change passwords in this case could be disastrous. Verizon first needs to patch all affected systems, then obtain new server SSL certificates, and then notify all customers to change passwords.

4 - Preferably Verizon would work with a major news outlet (Mashable is currently taking the lead on this issue) and provide details.

Again, I for one would like to order multiple phones for my family, but can't justify doing so until a clear response to this is provided. If this lags long enough for the buy one/get one promotion to expire, that might actually be enough to make me consider switching providers. Saying "we haven't found anything yet, but you should go ahead and change your passwords" is terrible advice.

Thanks.

rjsattler

Agreed heartbleed. Excellent response to Verizon. The Verizon response is irresponsible to say the least. Basically, "we still haven't figured out if we are vulnerable yet, we are still looking". What? It begs the question, who are you Verizon? I have worked for a large corporation before and sometimes the right hand doesn't know that the left hand is doing, but this is crazy. Companies much larger have responded to the threat - 2 weeks ago!

I am concerned Verizon. You either don't care about your customers data or you are just plain ignorant. Perhaps both.

heartbleed

Lovely. Now the buy one/get one promotion for the G5 has expired, and this is still not addressed. In my opinion that effectively costs me $200 for that second phone.

Let me show you how this is done:

Sprint Community: Announcements: Heartbleed Bug - Sprint.Com Unaffected

Sprint's director of IT confirmed authoritatively that Sprint was not affected. Not "we have no evidence of compromise". Please understand that there is an enormous difference between those two statements

And not done:

AT&T on Heartbleed & OpenSSL
AT&T is taking a similar approach to Verizon, that "no evidence that the Heartbleed vulnerability has been exploited in our infrastructure or service components". That statement of course is completely useless - if any IT person takes the time to read 5 paragraphs on the Heartbleed bug, you'll realize that no evidence is left of an attack. Either you were vulnerable or you weren't. Tell us, stop looking for evidence.
Space Search | T-Mobile Support
T-Mobile might be the worst of the 4 - they are providing no response whatsoever. Then again, I question their users for not really even posting questions.

My family plan runs close to $250/month, or $3,000/year. If Sprint offers any kind of reasonable phones and plans, you have just lost that Verizon. And why? Because you can't simply take 5 minutes to log into your web servers and run 3 commands:

openssl version
If this says anything less than 1.0.1g, tell us, and fix it below
apt-get update ; apt-get upgrade (if you're on a Debian system)
yum update (if you're on a Fedora/CentOS system)
Contact your SSL certificate provider and request new SSL certificates

Really - this should take 15 minutes. I've done it, and I don't hold millions of dollars in revenue in my hands. How is this not your top priority?

Child Item