Recent news this week has exposed that a popular open-source software has had an undetected vulnerability to internet security. The bug known as the Heartbleed bug has apparently gone undetected for over two years. The below information will provide you with a basic understanding of what the Heartbleed bug is and what you or your business should do.
What is the Heartbleed bug?
It is a vulnerability discovered in the OpenSSL cryptographic library, used by approximately two out of every three websites on the Internet. OpenSSL is open-source software used to encrypt web communications such as communicating to the Internet via websites and email. The Heartbleed bug leaves vulnerable a website’s private encryption keys which allows third parties to potentially steal information like user names, passwords, emails and other account information that is normally protected by SSL/TLS encryption.
The Heartbleed bug was identified by security experts and there are currently no known data breaches attributed to it. Fortunately a fix named OpenSSL 1.0.1g was released this week for impacted companies.
What did we do?
SecurityCoverage became aware of this threat on Tuesday morning. We immediately began implementing the necessary security patches on our servers which employ Apache and OpenSSL. By 11 AM on Tuesday all changes were made in production and all communications for our products and websites that employ this technology were patched.
What should businesses do?
The Department of Homeland Security (DHS) issued an alert Tuesday to warn businesses of the problem and advise them to review their servers to see if they were using an infected version of OpenSSL. The versions of OpenSSL that are vulnerable are 1.0.1 through 1.0.1f. Businesses with a vulnerable version should update to OpenSSL 1.0.1g, which was released April 7, 2014. Once the business has updated OpenSSL they will want to reissue their security certificates. It is recommended that impacted businesses update their blogs and send confirmation to employees and customers when the issue is resolved. While the likelihood of compromised data may be low you should still recommend that employees and customers update their passwords.
What should individuals do?
If you receive communication from a website or business that you use look for confirmation from them that they have fixed the bug. You can also check a company’s website or blog as they will often post sensitive messages like this there. When an impacted site has been confirmed to be fixed it is recommended that you update your password. Remember that if you do need to change any of your passwords, tools like Password Genie can generate strong passwords for you. To be clear this is not an issue with your computer or mobile device, but rather a potential vulnerability from websites you have visited.
Be safe and keep any eye out for communications from impacted companies. For more details on the Heartbleed bug check out http://heartbleed.com/.