OpenSSL Heartbleed - Infinity Network Solutions

In case you missed the Facebook trending posts, news reports, radio spots, and blog posts on the Internet there is now a new bug out there that you should know about.  No, this bug is not a virus or a scam but a major invasion into your privacy.  This vulnerability has been around for two years but was discovered only on Monday, April 7, 2014.  By now, I am sure that you are asking yourself, “What is this new bug and why should I worry about it?”  The bug’s official name is CVE-2014-0160, also known as the OpenSSL Heartbleed Bug.

OpenSSL is an open-source security language that is used on major websites like Facebook, BBT, Ally, Google, etc.  It is used so widely because of the fact that it is open-source.  This means that it is free, anyone can view the code and improve upon it, discover these bugs, and help create patches.  It is basically crowd-source technical support and programming.

Because of this open-source program we can determine exactly what Heartbleed did and look at the code of the vulnerability itself.  “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.  This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.  This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,”  a description from Heartbleed.com states.  It is a very technical description that is hard to put in simple terms.  It allows the hacker to ask for more information from the server while it processes requests from other users and see the requests the other users are making, effectively eavesdropping.  The popular XKCD put out a comic that explains it very clearly with pictures.

What should you do and what should we, as an IT company do?  The most important thing you should do is change all your passwords for every website you go to.  Make them secure passwords too and not something simple.  However, not every website has patched themselves against the vulnerability.  If you change your password for a website that has not yet patched, you are still vulnerable.  What is recommended is to use a website that can check to see if your website is affected.  A website that can be used is https://filippo.io/Heartbleed/.  From there you can enter in the website you are concerned about and if you get a message saying that the website is unaffected or patched you should change your password.  Mashable has also published an article that lists popular websites and whether you should change your password now.

As an IT company, we should stay on top of news like this by keeping an eye on technology news from various sources.  We found out about the bug from a Lifehacker post yesterday morning.  When we find these stories we need to determine what course of action we should take.  The action we took yesterday was to find out which of our clients were vulnerable.  The client that was vulnerable we immediately patched their system and tested to make sure that patch was being seen.  Our next steps are to continue to keep up to date on technology news.  This would be just like wanting your doctor to keep up on the latest medical and health news.  If you have any concerns or questions about this vulnerability on what it means for you and your business, please feel free to let us know.