At this point you have heard the news about the Heartbleed bug.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.”
First off, don’t panic. This is one of those internet issues that is (in fact) a big deal. However, the sky isn’t falling. The integrity of the internet isn’t compromised beyond recovery. This is something we will be living with for a while to come. That said, it is a vulnerability that has been in existence for a while as well. The initial vulnerability in the popular OpenSSL framework has existed since December 2011.
There still remains much needed research to quantify the exploitation of this vulnerability in the wild. The best bet is to take this as a call to action. Update your passwords, run software updates, and ask your service providers to update any certificates, software and appliances they control on your behalf. This isn’t a quick fix. The entire internet will be playing catch up on this for a few months.
What you can do today:
- Update your passwords on any sites you do business with or host any personal information. You want to wait a week so that site owners have time to patch the vulnerability. If you change prior to the fix, you should go back and reset your password again.
- Talk to your IT teams to discuss the plan of action to identify and update OpenSSL on any systems you maintain. This isn’t just your website. This is Unix based Operating systems, applications that use the OpenSSL library to secure communications (email, ftp, chat, etc), and clients that use OpenSSL to connect to other systems (like VPN software).
- Talk to partners and third party providers about their update process. It is critical that they all update their systems for this issue to subside.
- Test your own site: Qualys has a SSL testing tool that claims to be able to identify the existence of the Heartbleed vulnerability. You might find that you have some security issues in other areas. If this is something you want to discuss with a consultant, click the contact us link below.
Here are a few places to learn more about this threat:
- The Washington Post has a great introductory post that dispels some of the misconceptions about the threat of this bug. For example of the top 10,000 websites on the net only 628 are vulnerable at the time of the posting.
- The official blog of the research team that identified the bug – this is fairly technical, so grab some coffee. This is information your IT team should understand.
Do you want to learn more about securing your website? Click the button below to talk with on of our cyber security professionals at Dunbar.