Tag Archives: Heartbleed

FPPad Bits and Bytes for April 11

On today’s broadcast, a serious security flaw impacts two-thirds of the Internet. How this may affect the information you store online. Betterment announces the launch of an Institutional platform. Will they start winning turnkey asset management business from advisors? And learn how a new integration between Redtail and Riskalyze will help you monitor client portfolios to keep them in line with your client’s risk tolerance.

So get ready, FPPad Bits and Bytes begins now!

(Watch FPPad Bits and Bytes on YouTube)

Today’s episode is brought to you by Wealthbox CRM. Wealthbox is collaborative, social, and outrageously simple CRM for financial advisors.

Wealthbox CRM

Sign up for a free trial today by visiting fppad.com/wealthbox

Here are the links to this week’s top stories:

Here’s everything you need to know about the Heartbleed web security flaw from Gigaom, and

The Heartbleed FAQ for financial advisers from FPPad

[Leading off this week’s broadcast is news of a critical security flaw in a web browser encryption standard called OpenSSL, in use by an estimated two-thirds of all the servers connected to the Internet.

To summarize, the flaw, called “Heartbleed,” allows an attacker to use messages called “heartbeats” to trick a server into passing along sensitive information from its memory, which could include account passwords or the server’s private encryption keys. When hackers get access to that information, really bad things can happen.

So what can you do in response to the Heartbleed vulnerability? In all honesty, not too much. Assume the worst-case scenario, that an attacker has compromised your online passwords, so consider updating your passwords for affected websites to one that’s longer and more difficult to crack. You should also activate multi-factor authentication for any service where it is supported.] Researchers have discovered a serious flaw known as Heartbleed that affects the security software that runs on about two-thirds of the servers on the internet and could expose user data, including passwords. Here’s what you need to know about it

Tiburon CEO Summit extrudes big news: Betterment Institutional is born from RIABiz.com

[Next is an update from the online investment advice category, as this week Betterment revealed plans to introduce an institutional version of its technology to financial advisors.

In a fascinating report, RIABiz detailed how plans for Betterment Institutional were made public this week at the Tiburon CEO Summit in New York, as Betterment CEO Jon Stein and new Betterment partner and investor Steve Lockshin, known for founding Fortigent and Convergent Wealth Advisors, were both in attendance.

The soon-to-be-released offering from Betterment takes direct aim at existing turnkey asset management platforms, or TAMPs, which include well-known names like SEI, Envestnet, Adhesion, and even Fortigent itself, with an ultra-low cost offering of around 35 basis points all in.

Cut-throat pricing isn’t the only attraction of Betterment Institutional, as both advisors and clients will likely benefit from access to Betterment’s slick online dashboards and mobile app support for Android and iPhone.
So if you’ve considered outsourcing your investment management and reporting to a TAMP, Betterment Institutional will be a solution that deserves your close attention over the coming months.] Steve Lockshin lays out his plans for TAMP-like venture and how Michael Kitces, a public critic of the Betterment CEO, very much fits in

Redtail and Riskalyze Launch Next-Generation Integration Partnership from Riskalyze.com

[And finally, rounding out this week’s update is news of a new integration between Redtail Technology and Riskalyze. Redtail, known for its CRM, email, and imaging solutions now synchronizes client assets with Riskalyze, a client risk tolerance assessment tool and my pick for best client-facing technology of 2013, on a nightly basis.

In the other direction, Riskalyze updates client risk scores based on the synchronized account information and pushes them along with the client Risk Numbers over to the client’s profile in Redtail CRM. This is a time-saving upgrade as users of both solutions will no longer have to manually switch back and forth to keep assets or Risk Numbers up to date.] Redtail, the industry leader in advisor CRM, email and imaging, and Riskalyze, the company that invented the Risk Number, today announced a next-generation integration partnership that delivers incredible tools for advisors to grow their practices.

And here are stories that didn’t make this week’s broadcast:

The Advisor’s Technology Swiss Army Knife from Morningstar Advisor

One advisor technology startup combines a suite of disparate business-development tools into one effective solution.

Watch FPPad Bits and Bytes for April 11, 2014

Watch FPPad Bits and Bytes for April 11, 2014

The Heartbleed FAQ for financial advisers

Heartbleed for financial advisers

A security flaw dubbed “Heartbleed” has the potential to affect financial advisers and their clients

This is an evolving story, so in the interest in providing financial advisers with pertinent information about a serious vulnerability in Internet security, I’m offering this guide in a FAQ format.

What is Heartbleed?

Basically, “Heartbleed” is the name of a bug in software that many web-based services use to secure connections over the internet called OpenSSL. When you see the green padlock icon in your web browser’s address bar, chances are your online Internet session is encrypted with some form of the OpenSSL protocol.

The Heartbleed bug, discovered earlier this week, allows an attacker to use messages called “heartbeats” to trick a server into passing along sensitive information from its memory. The information could include account passwords or the server’s private encryption keys.

When hackers get access to that information, really bad things can happen.

Lots of additional details on Heartbleed can be found online, but you can start with the Wikipedia entry that is being updated in real time: http://en.wikipedia.org/wiki/Heartbleed

How do I test a site if it’s vulnerable to Heartbleed?

Go to this website and type in the domain name of the service you want to test: http://filippo.io/Heartbleed/

The site I tested is vulnerable to Heartbleed! What do I do now?

Oh no! First, assume that your password has been compromised. If you use the same password for other online services, identify the other sites where it’s used.

BUT WAIT! Don’t reset your passwords on the vulnerable sites just yet!

You need to wait until the vendor updates their OpenSSL code to eliminate the vulnerability. Only AFTER you receive confirmation from the vendor that OpenSSL has been updated will it be safe to return to the service and reset your password. Next, skip to the question on multi-factor authentication to increase the security of your online accounts.

The site I tested is all clear. What do I do now?

Whew, what a relief! That one site hasn’t been exposed, but your passwords still may have been exposed from another site. One thing you can easily do to enhance the security of your account is to activate multi-factor authentication (see below).

What’s the multi-factor authentication you mentioned?

Multi-factor authentication is a process where you use two or more factors to successfully log in to a secure account. The “factors” take three forms:

  • Something You Know, like your username, password, PIN, or finger gesture pattern.
  • Something You Have, like your ATM card, security token, smartcard, or mobile phone.
  • Something You Are, like your fingerprint, retina, voice, or typing rhythm.

Combining two or more of these factors substantially increases the difficulty of compromising your online account.

Assume that your password was compromised due to the Heartbleed bug and a hacker attempts to use it. If you implemented multi-factor authentication, the hacker also needs to satisfy the second factor of authentication in order to access your account. If you use your mobile phone to receive a login code, the hacker would not only need to know your password but also have physical access to your mobile phone to identify the login code.

Is there list that shows what sites support multi-factor authentication?

I’m glad you asked! Last week I identified an outstanding resource on multi-factor authentication in this post, Who supports two factor authentication? Find out in this awesome chart.

The site is twofactorauth.org and it’s totally worth your time right now to review the list of services and activate multi-factor authentication for any login

Can I do something to my web browser to validate the security of my session?

Yes, you can tweak your web browser settings to enforce more stringent security settings for your online sessions. While it’s not a guarantee against the Heartbleed vulnerability, the settings shown below will check if a site’s security certificate has been revoked before establishing a connection.

With thanks to Levi on Twitter, here are some changes you can make to Chrome and Firefox:

Also, courtesy of Dan Santner, here is a link to a more comprehensive scanning tool for a server’s SSL integrity:

The results of that test resemble a grade shown below:

A report generated by the Qualys  SSL Server Test

A report generated by the Qualys SSL Server Test

Add your questions below

Did I miss any important details? Is something unclear in one of my answers?

Let me know in the comments below and I’ll update this FAQ accordingly.