How to Protect your Business from the Heartbleed Bug
What is the “Heartbleed Bug”?
To put it simply, it’s a bug that affected most of the Internet. It affects any data that is being transferred over the Internet that should be secure through a specific type of of cryptographic “translator” called OpenSSL. This translator is a way to securely transfer emails, credit card information, website information and a thousand other things on the internet. It is used as a standard for secure communication.
Why should you care?
Unless you live under a rock, or don’t use the Internet, I’m willing to bet my lunch that you or your company are affected directly or indirectly by the Heartbleed bug/exploitation. Compromising OpenSSL is like giving anybody the ability to read your life or businesses’ secrets like an open book. This includes emails, financial, bank, credit card information, business trade secrets that give you a competitive edge, etc. Would your company like to be the next “Target” that gets to tell all its customers that it got hacked and didn’t take measures to protect not only your company, but your client’s data
Are you affected by the Heartbleed Bug?
In a word: YES
Gmail, Yahoo and Facebook were affected as well as 66% of the websites on the Internet. If you use or share a password with one of these vulnerable sites, you probably want to keep reading.
Let’s say you use your email address and password to log into Facebook or Pinterest (a Heartbleed affected site), that site could have been compromised, so a bunch of hackers got your email and password. If you use that same password to log into your email, then your email and account attached to it could be compromised. If you online banking information is attached to that email, all they have to do is go to your bank’s website, click “I forgot my password,” put in your email address, and then your bank’s password reset protocol is sent right into the hands of those bastard hackers.
Should you worry?
It is a very real worry. Shockingly, this vulnerability has been around for over 2 years, but only discovered a few days ago publicly by a person nice enough to share with the world. That means if a malicious hacker/business/country that may have stumbled upon it and exploited this vulnerability in the past 2 years, could have done so without anybody’s knowledge. There is no real way of knowing who or how it was used to exploit.
How do you protect yourself from the Heartbleed Bug?
At the bottom of this blog is a link for the big name sites that are or were affected. If you shared a password with any of these sites such as a bank password and Facebook (one of the affected sites), you need to change password for both. If you see suspicious activity on your business or personal credit cards, cancel them and get new ones re-issued. Have your IT department or trusted IT support vendor help do an audit and check that there were not systems affected, and make sure all your systems are updated to the latest versions of OpenSSL.
If you need a quick check to see if a website is (or was affected in the past) go to LastPass Heartbleed checker
If you want a better understanding of how SSL works, check Wikepedia
If you are more technically averse, and want details on the vulnerability, there’s a site dedicated to all the FAQ you could possibly want to know about the specifications of Heartbleed.