A massive security flaw was recently discovered on the Internet, possibly affecting the information of millions, if not billions of users around the web. This recent vulnerability has been officially named CVE-2014-0160, but is better known as The Heartbleed Bug.What is Heartbleed, who was affected, and what should your business do to protect its information in the wake of Heartbleed?
What is Heartbleed?
Heartbleed is an OpenSSL bug that allows hackers to navigate through the encryption layer between users and the websites in which they are logged in. Investigative journalist Brian Krebs described Heartbleed concisely as, “Attackers can steal the ‘keys to the kingdom,’ as it were — the private encryption keys that websites use to encrypt and decrypt all communications with visitors”. Valuable information such as passwords, private keys, banking information, and other personal information is at risk on any website that has not taken action against Heartbleed.
The Heartbleed Bug was discovered by a Google engineer and the Finnish security firm, Codenomicon. Since the information was publicized on the web on April 7th, it has been referred to as “one of the most serious security problems to ever affect the modern web” (CNN).
Who Was Affected by HeartBleed?
Some estimates claim that two-thirds of the web have been vulnerable to Heartbleed since 2011. The nature of the bug allows hackers to steal private encryption keys, and then authenticate into internet servers without leaving any trace of access within server logs. As a result, we may never know the full extent of what information was stolen as a result of Heartbleed.
Some of the larger websites who were vulnerable to Heartbleed include Yahoo, Pinterest, Google, Amazon Web Services, GoDaddy, GitHub, LastPass, and even the OpenSSL website itself. These websites are just the highlights, and it is not clear what, if any information was stolen from their servers as a result of Heartbleed. For more information on vulnerable websites, view Mashable’s list of Heartbleed Bug Websites affected.
What should you do?
If your business has not already done so, it should update any of its web servers to the latest version of OpenSSL. In addition, any private keys that are used to access your web servers should be replaced, along with any security certificates. If you are unsure of whether a particular web server or web host has been patched for HeartBleed, be sure to type in its public url at this HeartBleed Test website.
Every individual within your organization should take the proper precautions to reset all passwords in the wake of Heartbleed. This means not just work related accounts online, but also all personal accounts such as email, banking, social media, and any other login that is associated with private information. It is important to remember to use a different password for every account, and to use combinations of uppercase letters, lowercase letters, numbers, and special characters to create strong passwords. When available, two-factor authentication for web services should be enabled. If Heartbleed has taught the Information Technology world one thing, it is that we can never be too safe.