Over the past few weeks, consumers around the world were dismayed to learn that a vulnerability had been discovered that made a popular security protocol moot (presumably, the hackers who used the bug were no happier about the news being reported). The news has created a stir in the media, with some declaring the bug to be the end of the internet and other tech experts saying that people should change all their passwords. It’s not as bad as some media report make it seem, but it’s something the public and business owners should be aware of. This post will give a quick overview of what the heartbleed bug is and what business owners should do to their site.
In a nutshell, the heartbleed bug a security flaw in the open source security protocol SSL (Secure Sockets Layer). SSL is used by many businesses and websites of all size to encrypt the data sent over the server. Most internet users are familiar with SSL as the padlock icon that appears in browsers that lets them know a site is secured. The website sends the visitor an encryption key that make the data sent over the internet unreadable except by the website that sent the key. This is why SSL has been used for banks, sites with login passwords, email providers and more. The heartbleed bug made it possible for a third party to intercept unencrypted data from sites that were supposed to be secure. This means that passwords and data send on vulnerable systems could be used by criminals.
“It’s probably the worst bug the Internet has ever seen,” said Matthew Prince, CEO of website-protecting service CloudFlare, stated in an interview with CNN. “If a week from now we hear criminals spoofed a massive number of accounts at financial institutions, it won’t surprise me.”
While much of the hype about the heartbleed bug is hyperbole (it would take a herd of Godzillas, rampaging across the globe to destroy the internet), there is certainly a reason to be concerned. On April 17th, Canadian Mounties arrested a 19-year-old hacker who used the heartbleed to access the Social Insurance Numbers of more than 900 taxpayers. Canada even had to shut down its tax payment site for a few days when Canada’s taxing authority realized their computer’s were at risk. Here in the states, the IRS said they weren’t vulnerable to the security flaw.
The bug was accidentally introduced into the SSL protocols in 2012 and systems have been vulnerable ever since. However, it’s unknown when the bug was first exploited or how widespread the damage is. The flaw only affects certain versions of SSL, so not every site with a padlock was leaking information. Also depending on how many layers of security the website used, the information may have been secured even if the SSL protection was compromised.
As one would imagine, the fixes for the heartbleed bug are pretty technical. On the simple end, many ISPs are making patches available to the sites on their servers that were affected. For example, HP, Dell and IBM are identifying which of their products were vulnerable and providing the necessary support. However, to be sure to eliminate the risk from a website, here are some steps business owners should make sure have been taken:
Check for vulnerability of system and apply the patch if necessary.
After applying the patch, generate a new certificate and a new key (using a patch only leaves a system vulnerable)
Don’t forget to revoke the old certificate and key (leaving the old key active creates the possibility of further data loss)
Restart the service and ensure that all old versions or hidden versions are removed.
Use a test script to test the site. Validate that the site and services are no longer vulnerable.
Check all your servers and services to ensure there aren’t any old versions of SSL forgotten in other places.
Check for any evidence of data loss and inform affected customers.
Since many of the fixes required to address the issue won’t be done by the website owner, the main thing business owners need to do it make sure the repairs are being made, ensure that transactions aren’t being handled on insecure systems, and be on the lookout for issues related to the fix. Some business IT departments, as well as the IT staff of internet service providers, have reported delays in applying the fix, and in some cases fixes at the ISP level could have effects on the functionality of the hosted site. Business owners should testing core website functions to make sure they are still working after the fix.
The heartbleed bug may be frightening, but it isn’t something that businesses and the internet can’t survive. Business owners and webmasters will need to be on the lookout for the next few months to make sure that everything works properly and that they aren’t bit by the heartbleed bug.