The Heartbleed Bug: What You Should Know
There has been extensive media coverage of the so-called “Heartbleed” bug, a flaw in the OpenSSL software that is used to encrypt data on the Internet. You likely have used OpenSSL without realizing it — it is found in websites that use the HTTPS protocol for secure communications, indicated by a padlock icon in the browser.
The Heartbleed bug is a serious issue affecting most Internet users and businesses. If a website uses OpenSSL with certain settings turned on, portions of the server’s memory could be exposed. As a result, the Heartbleed bug can compromise the secret keys used to identify trusted systems and encrypt information, enabling hackers to steal sensitive data.
The good news is that the bug has been fixed. However, it is up to individual website owners to implement the change within their systems. Many major websites have done so, but smaller organizations may take more time. It doesn’t help to change your password or take other action until the specific website has eliminated the bug.
Check with your service provider to determine if any of your websites are vulnerable. You should also take the following actions for other web sites and web-based services you may use:
- Immediately change your password on these sites: Facebook, Instagram, Pinterest, Tumblr, Yahoo, Amazon Web Services, Box, Dropbox, Github, IFFT, Minecraft, OKCupid, SoundCloud and Wunderlist. (Google and PayPal were not affected.)
- Check this list of popular sites to determine the status of other sites you may use. (Note that only 48 of the 1,000 sites tested were found to be vulnerable.)
- Set your browser to check for revoked site certificates. Once a vulnerable site has fixed the security issue, they will revoke their old certificates and implement new ones. Your web browser must be configured to reject the old certificates. Call ICG if you need assistance.
- Share this information with your business partners, customers and others with whom you exchange sensitive data. Their sites may be vulnerable, which could impact your business. If they do not have an IT provider, we will be glad to assist them.
- Once a vulnerable site has been fixed, change your password immediately. If you change your password before the vulnerable site has been fixed, you will need to change it again after they fix it.
This is also a good opportunity to review your password policy and ensure that your team is following best practices:
- Use strong passwords at least eight characters long with a mixture of letters, numbers and special characters.
- Use a different password for each website and application.
- Don’t write your passwords down or share them. Instead, use a good password manager to keep track of your various passwords.
ICG is here to help keep your business secure. Please let us know if we can answer any questions or be of further assistance.