On April 8, 2014, a team of engineers that was testing improved security features announced that they found a massive vulnerability for websites that use web encryption software called OpenSSL. This vulnerability, called the “Heartbleed bug,” allows potential eavesdropping on users’ communications on websites using OpenSSL.
OpenSSL is a popular open source encryption technology used to encrypt traffic on the internet. It is used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Many popular cloud-based services rely on it, including Google, Facebook and Yahoo. In testing, researchers found they were able to exploit the vulnerability to steal usernames, passwords, instant messages, emails and other critical information. They were able to steal this information without leaving a trace behind to indicate the theft had occurred.
There are different types of information that could be at risk. Here are some examples:
- Encryption keys. Leaked keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.
- User credentials (user names and passwords) used in the vulnerable services.
- Actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything viewed as worth protecting by encryption.
- Collateral information, which would include other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures put in place to protect against overflow attacks.
Here are things you should do to protect your own business information and your customer’s information:
First, compile a list of the various web services you use. If you have a username and a password to access the site, it should go on the list.
Second, identify those web services that contain your confidential information and confidential information of your customers such as credit card numbers, bank account numbers, social security numbers and other critical information. Those services should go at the top of that of that list.
Third, investigate whether each web service employs SSL/TLS encryption. Websites and web services that do not employ SSL/TLS are not vulnerable to the Heartbleed bug.
Fourth, for websites which do employ SSL/TLS, investigate whether a patch or fix has been made for each website. Large services such as Google and Facebook have already implemented fixes. Particular emphasis should be paid to web services from smaller companies. There is an easy way to check to see if the fix has been implemented for a given website by going to https://www.lastpass.com/heartbleed.
Fifth, once you confirm a fix has been made for a particular service, log in and change your password for that service.