The digital world has been rocked with the announcement that a bug has been crawling around for two years stealing data and not leaving a trace. Based solely on the number of websites impacted and the amount of time it has been active, the Heartbleed Bug has been identified as one of the most proliferated exploitations ever to hit the Web.
Heartbleed exploits the “heartbeat” feature used in OpenSSL. This feature works like a handshake between a server and a computer, letting each know the other is still active in the conversation. Heartbleed hijacks this handshake, impersonating the heartbeat, and steals information from the server’s memory – bleeding the information away. This information can include usernames, passwords, credit card data, emails, instant messages and more. While this data is typically encrypted, Heartbleed allows attackers to steal the encryption keys to decipher the stolen data. With these keys, attackers can impersonate other secure sites and servers. And to make matters more complicated, the attack does not leave a trace.
- Heartbleed has been around since December 2011.
- Apache and nginx web servers are known to use OpenSSL. Based on a recent study, this makes up 66% of active Internet sites.
Have you been impacted?
Websites that use https at the front of their urls and feature the security padlock have potentially been exposed to the breach. This includes sites used for e-commerce, social networking, email, instant messenger, and VPNs (virtual private networks). It also means that websites that may have followed protocol perfectly for PCI-compliance may still be vulnerable.
What to do as a website owner
If a website may have been impacted, take the following steps to ensure data security going forward.
- Download and implement the OpenSSL patch.
- Work with your Certificate Authority to revoke and re-issue new security certificates.
- Change any passwords on systems that interact with impacted websites.
- If you confirm that your servers may have been compromised, you may choose to reset your customers’ passwords to ensure customer protection moving forward.
- As a business, take the Internet user actions below to protect your business from the threat.
What to do as an Internet user
If you use the Internet, your data may have been compromised. Take these steps to protect your data going forward.
- Check to see if the website has patched the Heartbleed Bug. The following sites provide some tools to verify safety.
- Once the site has been confirmed that it is safe, change your passwords. And as a general rule, change you passwords often to continue to protect yourself and your data from ongoing security threats.
- This includes passwords for email, social networks, financial institutions and shopping sites.
- As a further precaution, log out of any saved sessions, terminate the session and then change your password.
- Watch your financial statements and other sensitive data for the next few months to ensure your data has not been compromised.
Other tips include:
- With public Wi-Fi networks, only do things you don’t mind being made public. Don’t log into secured accounts with sensitive information
- If available, use your VPN. These networks are typically secured in a much more robust way.
- And change your passwords often.
While the Heartbleed Bug has impacted some of the largest sites on the Internet (most specifically Yahoo), many companies took immediate action to protect customers and their data. And while a short-term fix for the problem has been developed, more robust security features need to be implemented to protect consumer data going forward. Those features exist today but the cost of implementation can be costly. Business owners need to decide the cost to protect – or not protect – consumer data in the future.
As consumers, we need to take charge of our own protection, following the tips above, proactively participating in our own protection.
Further Heartbleed reading:
- Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet
- The Heartbleed Bug
- How to protect yourself from the ‘Heartbleed’ bug
- ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
- Heartbleed bug: Check which sites have been patched
- Here’s How To Protect Yourself From The Massive Security Flaw That’s Taken Over The Internet
- Netcraft: April 2014 Web Server Survey
- Website operators will have a hard time dealing with the Heartbleed vulnerability
- What To Do Now That The Heartbleed Bug Exposed The Internet
- Heartbleed Bug Impacts Online Retailers, E-commerce
- Heartbleed: Particularly Harmful For E-commerce?