The recent discovery of the “Heartbleed” online bug has sent shockwaves through the internet, causing companies and individuals alike to question very basic assumptions about cyber security. The bug has allegedly existed for the past two years and was only recently inadvertently discovered by the software developer Codenomicon. Heartbleed renders useless Open Secure Socket Layer (SSL) encryption, a software program that implements the SSL protocol, most commonly used when a web browser needs to securely connect to a web server over the internet. OpenSSL encrypts the traffic, log-in credentials and content of communications transmitted over the internet. The error in OpenSSL makes it possible for hackers to access sensitive material, including a server’s private key, as well as any data that is in memory on the server. This data can include customer information such as usernames, passwords, and credit card information. Access to this type of sensitive data creates a serious vulnerability because attackers can use it to decrypt past communications, steal critical data, and in the case of a private key compromise, enable the attacker to impersonate the associated server.
SSL has long been considered a necessary component of securing private data online. About two thirds of websites use OpenSSL, both to protect user data and comply with existing privacy law frameworks. Many state data breach reporting laws and federal statues, such as the Health Insurance Portability and Accountability Act (HIPAA), provide safe harbors for companies that can prove their data was properly encrypted. The FTC has also considered the SSL protocol to be necessary, made clear in its recent settlement of a pair of enforcement actions against Fandango LLC and Credit Karma, Inc. for their failure to properly implement SSL encryption software.
With OpenSSL compromised, what is a company to do? The FTC’s response to the Heartbleed bug suggests that the SSL encryption protocol is still a necessary component of cyber security. It advises companies affected by the bug complete the following steps:
Update to the newest version of OpenSSL and reboot servers. Generate new encryption keys according to your systems’ instructions. Get a new SSL Certificate from a trusted certificate authority to signal to web browsers that your site is safe and secure. Notify your employees and customers. Once your systems have been secured, tell your employees and customers to change their passwords for any system that was affected. If they use the same passwords on any other sites, they should change those, too. Talk to your IT staff. Determine whether your websites, networks, or other applications use OpenSSL. Remember that even if your public website isn’t vulnerable, you might have other applications that are — like your email server.
Companies should not, however, take this bug lightly. The potential widespread harm created by Heartbleed represents the vulnerabilities inherent in relying on a single software system for cyber security. Companies may want to use this as an opportunity to reassess their data security procedures and ensure that there are multiple layers of security in place. Diversifying the types of software used to protect data is the best way to safeguard against bugs to individual systems.
Additionally, in light of this massive security threat, the Justice Department and FTC recently released a joint policy statement allowing and encouraging the sharing of real-time data on cyber security threats and attack information, assuring companies that “as long as the information exchanged was limited to physical and cyber security issues, the proposed interdictions on price, purchasing and future product innovation discussions” will not be in violation of antitrust laws.