By Aaron Hutton
On the heels of several security breaches for a number of retailers comes a new threat to anyone who accesses the Internet. Self-storage operators who haven’t heard about the encryption flaw in the Heartbleed bug need to be informed and take action. Here’s a summary of how it works and why it should matter to you.
What Is Heartbleed?
Heartbleed is a common name for a recently discovered vulnerability that exists in OpenSSL, a widely utilized cryptographic system designed to encrypt data traveling across the Internet. When you see https:// at front of your Internet address bar, you’re using some form of SSL. The system is designed so two parties can communicate without fear of being overheard by a third party.
In most cases, you’re one party and the other party is the website in which you’re communicating. It accomplishes this through use of an SSL/TLS “certificate,” which positively identifies the website you’re communicating with and provides the “key” to encrypting and decrypting the communications between you and that website.
The Heartbleed bug “leaks” pieces of memory from affected servers. Given time, an attacker can gather sensitive copies of information, including the certificate mentioned above, as well as usernames, passwords and other sensitive data. The reason Heartbleed is so serious is because it has existed for quite some time (about two years), it’s relatively easy to exploit, and attackers leave no trace when they take advantage of a server.
What Should You Do?
Several sources out there are advising folks to change their passwords on various websites. However, you should check a couple things. First, did the website in question update its servers to patch the Heartbleed vulnerability? Second, did it replace its SSL/TLS certificate?
If the website hasn’t yet patched its servers and is still vulnerable, changing your password does no good since your new password can be leaked as easily as your old one through the Heartbleed bug. However, most administrators have now patched their systems so they’re no longer vulnerable.
Because Heartbleed can expose a website’s security certificate, end-to-end communications between a vulnerable server and you are insecure. If a website patches the bug but does not change its certificate, an attacker with a copy of the old certificate could decrypt your communications and read sensitive data, such as your new password. This situation is less common, unless you frequently use networks like public Wi-Fi or other insecure networks. I recommend you wait until the website replaces its certificate before changing your password.
If you use the same password on several different sites, you should end that practice and use different ones for each system. Leaked or compromised passwords often end up on password lists, which are traded between hackers. For example, if you use the password “Roscoe1” on yahoo.com and also for your bank, your bank is vulnerable even if it was not affected by Heartbleed. Because your password could have been stolen from Yahoo, it can no longer be trusted. Any password leaked once should be considered “burned” and not used again, anywhere. Change your password on any site you used a compromised or burned password. Lastly, if in doubt, you can always change your password to be safe.
Check Your Vendors and Computer-Based Systems
The Heartbleed vulnerability has wide-ranging reach in computerized systems that one wouldn’t always expect. Business owners and IT staff need to check with their vendors to get an official statement regarding Heartbleed. Any system or program that’s designed to transmit data securely over a computer network could be vulnerable, if that system used the vulnerable version of OpenSSL.
Stakeholders should think beyond the examples that are being commonly discussed because Heartbleed can affect much more than you or your customers logging onto your websites. For example, a point-of-sale program that aggregates sales information from satellite locations might secure that data with OpenSSL, or a security system that allows remote operation over the Internet could be vulnerable.
To ensure your systems are secure, make a list of the technology systems that communicate any data (or have the potential to, even if you’re not using it) over the Internet or any computer network. Then confirm with each vendor if its system was impacted by the Heartbleed vulnerability. If it was, make sure you patch the system or take necessary steps to secure it.
The following prominent sites and services were formerly vulnerable to Heartbleed. If you use one of these sites, you should change your password ASAP.
- Electronic Frontier Foundation
- Stack Overflow
For more sites and suggestions, read this article. Most major sites affected by Heartbleed have since been patched. You can check to see if a website may have been vulnerable as well as when it replaced its certificate on this site.
Aaron Hutton is the technology support manager for VIRGO. An IT professional with more than 20 years of experience, he has supported everything from small and medium businesses to Fortune 500 companies. After learning the ropes providing basic technical support for a $5 billion computer-hardware reseller, he leveraged that experience into more challenging positions ranging from the “one-man IT shop” to executive-level support with Intel Corp.
Sources and additional information: