The Heartbleed Bug and Business Security
The Heartbleed Bug is a weakness that allows the stealing of information that normally would be protected by the standard encryption used in many services on the Internet. This could affect websites, email, instant messaging, and even some virtual private networks (VPNs). It allows someone on the Internet to read the memory of systems protected by certain versions of OpenSSL, which is widely used by many web servers and other Internet-enabled products. Attackers can exploit this problem to steal login names and passwords to hack into your accounts or those of your clients.
Should we worry? Isn’t this another one of the web vulnerabilities that we hear about that probably doesn’t affect us (or our clients)? Well, no, this isn’t your run-of-the-mill exploitation:
- According to Codenomicon, an attack can be accomplished without leaving a trace.
- OpenSSL (where the vulnerability was found) is used widely, including in web servers like Apache and Nginx. Just these two software products alone are used in over 66% of the web servers on the entire Internet (Netcraft’s “April 2014 Web Server Survey”).
- While it looks like only certain versions of OpenSSL are affected, these versions have been in use for over two years now.
We hear about security vulnerabilities all the time. This one is a big deal because a large number of private keys and other secret information have been exposed for a long time, the exploit is simple, and no trace of exposure is left behind. Even though the bug can be fixed quickly (if service providers respond), your login passwords could have been exposed, and that information can be used even after the bug is fixed.
Some people, such as Bruce Schneier, say that this is catastrophic: “On the scale of 1 to 10, this is an 11.” From the other side, though, Dr. Steven Murdoch of the University of Cambridge Computer Laboratory says, “I think there is a low to medium risk that any given password has been compromised” (per BBC News).
So What Do We Do about the Heartbleed Bug?
Password wallet provider LastPass recommends that to be safe, you should change the passwords on your most critical sites. This would be your email, banking, and social networking sites, particularly if you know if those sites use Apache, Nginx, or test as being vulnerable to the Heartbleed Bug.
You can test any site using this Heartbleed test site to see if it’s vulnerable. However, note that if you test a site and it passes now, it could have already fixed the bug, but your information could have already been compromised. We already know that sites like Yahoo.com and GitHub.com were exposed, and researchers have used these sites to demonstrate the problem publicly (with very little work!). I used the test tool to look at some commonly used accounting sites, such as Intuit, Xero, Zoho, and Wave, and all passed the test.
My recommendation: This is a tough call in a way, because service providers are still working out the details (at the time I’m writing this). There are three ways you can think about this. If you’re:
- Not worried too much? Well, I still think you should change your passwords soon, when you have the chance. Good time to do it; get around to it when you can.
- Worried a bit because things are uncertain? As far as your banks and major web services, wait until they notify you they’ve upgraded their systems, then change the passwords for that system. You can also use the Heartbleed Test site to test your site to see if it’s vulnerable and change passwords if it isn’t. Why bother changing on a site that isn’t updated, as you’ll just have to do it again later? This is what a number of security specialists (but not all) are recommending.
- Worried a lot? Change your important passwords now and again if the service notifies you that it has upgraded. That may be a bit over the top, but some people are saying “don’t wait,” and then do it again later for sites that are updated.
It’s confusing. Why bother at all? Well, my thoughts on this are:
- Why take a risk? I’m going through my sensitive passwords and making changes. It takes time, as I have a lot of accounts to change. I use RoboForm to manage my passwords, and The Sleeter Group uses LastPass; both are excellent (and similar) products. These help you remember what passwords you have and what you change them to. But I’m going to test the site first – and not log in if the site isn’t updated and secure. My info may not have been stolen earlier, but I’m not going to enter my passwords into any system that isn’t secure so that it CAN be stolen. I’ll only log in to sites that are updated and secure, change those, and wait for the others.
- Hey, “best practice” is that you change your passwords periodically, so even if you don’t believe this is a real risk, why not do it now anyway? It’s as good a time as any. How long has it been since YOU changed your email or bank passwords?
- If you’re a trusted advisor to your clients, this is a good time to recommend they consider changing their passwords, and perhaps do an overall security review for them. Most businesses have some vulnerability of some sort, and they need you to help them find and fix these problems. This is the perfect time to bring it up.