What You Should Know About Heartbleed
In the past 10 days you’ve likely heard about the Heartbleed bug. Many companies have been sending out email notices that either their website was not affected by the issue or requesting you to change your password because they have fixed the vulnerability in their website.
The Heartbleed bug is a defect in a web infrastructure program that can make it easier for bad guys to steal your logins and passwords at many websites. At least for the time being, it appears that not many people have had their information actually stolen.
The software in question is called OpenSSL. It is an open source (free), widely used method of encrypting data that has been typed into websites, including passwords. The SSL part stands for Secure Socket Layer. All websites that display addresses beginning with “https” use SSL, but only those that use certain versions of OpenSSL are affected by this bug.
The problem has been around for more than two years, but only recently discovered by security firm Codenomicon and Google engineer Neel Mehta. The problem was caused by a programmer who appears to have simply made a mistake. Since its discovery, websites have been feverishly implementing fixes, trying to beat the crooks who might take advantage of the problem.
Most banks and other financial institutions don’t use OpenSSL, instead opting to use proprietary encryption software. But some popular sites, such as Yahoo, have been affected.
Vertafore posted on their customer support portal, “We are pleased to inform you we have comprehensively reviewed all hosted products for susceptibility to the issues described in CVE-2014-0160 (also known as the Heartbleed Bug) and have determined that Vertafore’s SaaS offerings are not affected. There is no action you need to take at this time. The Vertafore products that use OpenSSL are operating on versions of OpenSSL that are not vulnerable (and have not been vulnerable) to the Heartbleed OpenSSL security bug.” Click here for more information.
Applied Systems posted on their customer support portal last Thursday a statement which stated in part: “Applied customer-facing systems are generally built on Microsoft technology (where OpenSSL is not used) and are not at risk from this particular vulnerability.”
If your organization does not use a system from either of these vendors you should contact your vendor to verify their position.
What can you do to protect yourself and your organization?
Take the following steps to reduce your vulnerability to a hacker stealing your password credentials.
- Don’t rush off and change all your passwords. Yet. If a particular website using an affected version of OpenSSL hasn’t implemented updates, changing your password could make it even easier for a hacker to obtain your information. Do not change your password until you know that the site you are visiting has upgraded their software to fix the bug.
- Test the sites you frequent using a Heartbleed testing service. Two testing services that quickly popped up are: Lastpass Heartbleed Test and Filippo Valsorda’s Test.
- Use two-factor authentication. For websites that offer it, two-factor authentication should be turned on. Two-factor authentication requires you — when gaining access to the site — to provide, along with a password, a second piece of information, such as answering a security question about, for example, your mother’s maiden name or entering a code that has been texted to you.
- Keep a close eye on credit card, bank account, and other financial statements. If you see any unfamiliar charges, make sure you investigate them and contact the institution.
- Change your passwords on a regular basis. While this can be a real pain, it is a good way to make sure your online information is as secure as possible. You should also not use the same password on multiple sites. Password management software programs such as RoboForm.com, LastPass.com or 1Password will help you more easily manage multiple passwords for multiple sites.
- Use strong passwords. Your password should contain at least eight characters and be made up of both letters and numbers. The most common passwords continue to be simple (and very easy to crack) such as “password,” “123456789,” or “abcd1234.”
- Continue to be vigilant. The above recommendations are just a start to helping you protect your online information. Actively follow news and developments – about Heartbleed – or any other security problem that comes up in the future. Being proactive to protect the security of your personal information – and your clients’ – should be an important part of your organization’s information risk management program.
For more detailed information about this issue here are links to a few articles you might find interesting:
- Wired: How Heartbleed Broke the Internet – And Why It Can Happen Again
- PCWorld: Website Operators Will Have a Hard Time Dealing with the Heartbleed Vulnerability
What steps are you taking to be vigilant in protecting your information? Please share your experiences.