Heartbleed: how to protect your business and yourself

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Thursday May 1, 2014 at 2:00pm
A major security vulnerability made the news recently called 'Heartbleed'. The bug means an attacker can access normally encrypted data without leaving a trace. With two thirds of internet sites using OpenSSL this is a serious threat and one business owners and individuals need to pay attention to.

Heartbleed is a bug dating back to 2011 in some versions of OpenSSL - an open source implementation of encryption protocols that is widely used on the internet. These encryption protocols are there to secure transmission of data over networks. When you see “https” in a web URL this denotes a secure connection, mostly used for online shopping sites or online banking for example.

Action for business owners

Any online services that are using OpenSSL should be immediately updated to the latest version. Where SSL certificates are used these will need to be revoked and replaced with new certificates. The final step would be to change all credentials that could have been leaked i.e passwords.

Not all versions of OpenSSL are vulnerable to attack, so if you’re a business owner you may need to check with web developers and other providers of online services which version they use.

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

What it means for you?

In simple terms it means you should look to change your passwords and log in credentials. In fact you may already have received emails from organisations you are registered with suggesting you do so.

There are sites available listing the affected websites and it would be prudent to review and change your login credentials for those affected sites. Before doing so it’s worthwhile checking that they have updated their Security certificates and servers.

Sites affected include social media, online shopping, email or banking sites - anywhere SSL encryption is used. Most major sites would have addressed this issue within several hours or days of the bug being made public. However the issue I see now is the ’bad guys’ are now aware of this issue and will be exploiting this 'in the wild', as some sites and services could remain unpatched for years. For example, Android devices running Jelly Bean 4.1.1 are vulnerable to a reverse Heartbleed attack. This is harder to exploit than the normal Server attack vector so the likelihood of data being leaked is lower, however the risk is still there.

Managing your passwords

If the thought of changing all your passwords and login details fills you with dread and is the excuse you use to yourself for not changing passwords regularly then why not use a password manager? I've been using one for years, LastPass is my software of choice but there are lots on the market. Without this software I would probably have been using shared passwords for the sake of my sanity but leaving myself completely vulnerable to attacks like the Heartbleed one. These managers generate and store random passwords for all your sites, emails etc. So you only have to create one really strong master password, and the software does the rest. Stay safe.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Comments:  
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here