It’s been all over the news. It’s been called the largest security threat on the Internet ever, and it’s called The Heartbleed Bug. The Heartbleed Bug is certainly a serious vulnerability affecting web sites and services across the Internet. This bug is found in a specific version of a software called OpenSSL that is used to secure communications over the Internet like email, web sites, and some VPNs. The affected version of OpenSSL exploits a flaw in a part of the secure communication called the heartbeat. When an attacker exploits this flaw, information stored in the memory of the server leaks or bleeds back to the attacker’s computer. Since the bug was made public, fixes have been being applied all over the web by users of this OpenSSL service. What makes this different from a lot of other security bugs is the fact that it was introduced into the software in 2011 and use of this exploit leaves no trace on the system that was attacked. This means nearly every user on the internet has likely used a service that relies on OpenSSL and there is no way of telling who has been compromised.
After the bug was made public, major IT companies around the world launched into testing their products to determine if they were affected. Companies like Microsoft who do not use OpenSSL directly informed their customers via blogs and social media that their products are unaffected. Cisco for example did have some products affected and posted lists within 48 hours of what products are affected and what products are not. Cisco also began to release information about how to mitigate the risk until they had a fix available. Most technology companies took this risk very seriously and responded very promptly to the potential threat in a way that only the internet could allow. Many SSL Certificate Authorities are affected by Heartbleed and have instructions on their websites about how to ensure that the SSL encryption keys you purchased are safe and secure.
Most online service providers that make use of SSL for securing their content have recommended that users change their passwords immediately and also again once the service provider has finished the process of patching their systems. For those of us who have purchased our own SSL certificates, most Certificate Authorities have all patched their systems. These Certificate Authorities recommend that you log in to their servers and go through a process called re-keying your certificates. Each one has its own set of instructions but in general the steps are the same.
After following the news around this bug development I recommend that you log on to your banks, email providers, and any other online site you use a password for and change your password. Yes, even your Facebook password! If you have a website or have any secure content of your own on the web you should contact the service providers you work with to see if they were affected and follow any instructions they have to ensure your data stays safe. If you are unsure, call us and we will be happy to help you determine if you or any of the services you use was affected by The Heartbleed Bug.