What You Need To Know About The Heart Bleed Bug
What is Heart Bleed?
Heart Bleed is the name given to the software bug that has been found in a piece of software called OpenSSL. You've probably never heard of this product but it is used in millions of websites to provide people with secure encrypted access into services like webmail, financial services and other online secure services. People use a username and password to access the website but the OpenSSL makes the transmission of that username and password as well as the subsequent information transfer secure through to the website. The bug itself allows someone with the necessary skills like a computer hacker to "scrape" usernames and passwords and other private information including the private key from the affected websites and then use them.
The private key is absolutely critical to the security of a secure website. It is an encryption code that is used to encrypt the data so even if someone intercepts the data they can't read it but if someone has the private key they can intercept the private data and decrypt it. The private data could be personal details, credit details or confidential information.
Hackers also know that most people use the same username and password for most websites they visit so this would also give them the ability to access other websites that don't have the bug if the person's username and password is the same.
How am I affected and how can I protect myself?
This has been a very serious incident with regards to online security and it may take months to discover what the true impact has been and what changes this will bring about. For you now though there are a number of things to be aware of:
Firstly, the Big 4 banks in Australia have all said they are completely unaffected by the bug and your online banking is safe and secure. Other service providers have also come out said the same. Providers like Google, Yahoo, Facebook, PayPal, Dropbox and Amazon Web Services which were affected by the bug but are now fully patched have been advising users that they don't have to change their passwords but have been gently prodding them to change in line with best practice. So I would advise you to change them.
For Microsoft services like Outlook Webmail, Azure, Sharepoint and web servers built using IIS they use their own SSL platform and are unaffected.
For other online services you use both in business and personally the easiest thing to do is check on that service providers website or google them along with "heart bleed" and see what their advice is.
For any secure services you provide to your customers, you need to contact your developer or the service provider to see if you are affected as you will need to let your customers know as soon as possible. We are now seeing over the last day or so security hardware vendors like Cisco, Watchguard and others say that some of their products are vulnerable, so again it's best to check their website or speak to your IT support team for advice.
For everyone this is a wake up call with regards to online security and the way people access it. Some security experts have said that the heart bleed bug is a catastrophe and on a scale of 1 to 10 this is an 11. Service providers have been scrambling all week to patch websites and ensure their information is secure whilst others it seems don't want to draw attention to the fact they that have been affected.
The majority of people use the same username and password for most sites (usually your email address) and this bug has highlighted the need for everyone to use proper password management and not to use the same password for secure sites they access. There are online services available that help manage your passwords, services like Lastpass, Dashline and Roboform for personal as well as Okta, Onelogin and a number of solutions from security vendors for corporate. With the number of usernames and passwords that people use, it may be time to look at a password manager service.
Advice from security experts is to monitor your online accounts over the next few months to see whether there are any suspicious or unusual transactions and contact your bank if you notice something irregular. Even though your bank may have said it is secure, other websites where you have registered your payment details may not be.
Here’s the first 6 tasks you should do to help protect you against Heart Bleed:
- Check the advice for any online services you subscribe to
- Change your online passwords if necessary.
- Make passwords for all of your online services unique
- If you provide customers/staff with secure website access check with your developers or IT teams for advice
- Monitor your bank accounts for any suspicious transactions over the coming months.
- Be vigilant when opening emails from online service providers, these may be disguised malicious SPAM emails.
The most unbelievable aspect about all of this is that the bug was unknowingly written into the OpenSSL software 2 years ago and all of these sites have been vulnerable since then! So no-one quite knows whether this has been exploited already and not been publicised.
About the Author
Geoff Stewart is a highly experienced and skilled Technology Director at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.
Surety IT can help you create the right system to enhance your business, ensuring you know how it is right for you and how to use it. We will tailor a solution to suit your needs with leading systems, local support and more, building your vision for a more flexible and capable business.