What to do About Heartbleed

Heartbleed Exploit Requires Changes

For those who haven’t heard, there is a new internet security risk. The Heartbleed exploit is a weakness in the program known as OpenSSL, which encrypts data. Whenever you access a secure site and see the lock next to the site address, that is SSL. There are many SSL programs out there, and only OpenSSL was affected. However, it’s the most used program, and affects up to 2/3 of all internet sites using SSL.

So what sites use SSL? Pretty much everyone. Your banks, credit card companies, even social media. In fact, Yahoo! Announced that it did not know about the hole until it was made public, which means any Yahoo! password needs to be changed, including their sites, Tumblr and Flickr.

To make matters worse, it seems that it’s not just websites, but your internet connecting devices as well. These would include your routers and networking equipment. In other words, if you have WiFi in your home or business, you need to check with the equipment’s manufacturer to see if they use OpenSSL. If so, they will need to devise a “patch,” or an update to their software that closes the hole. This takes longer than websites, so is a bit worrisome. Two of the largest companies, Cisco and Juniper, have already announced that they are patching their equipment.

The widespread use of OpenSSL may also affect other online devices, from BlueRay players to web-enabled refrigerators. While it’s cool to be able to control your thermostat from your iPhone, you don’t want some kid in Russia doing it. Just like the WiFi equipment, you need to check with the creators of the devices to see if they have a patch.

For most people, they need to change their passwords on their websites and call the makers of their WiFi devices. Doing so won’t do much good if the site has not fixed the hole, but it just means you’ll need to change it again when they do fix it. A small inconvenience. If you’re not sure, do a Google search for the site in question and “heartbleed.” Many of the larger sites have commented. If you find nothing, send a message to the site and ask them straight up if they are affected, and if they have fixed it. There is a good guide over at Tom’s Guide on what to do.

For companies, most states require online companies to report data breaches to their customers in writing. The Heartbleed is particularly difficult because site administrators have no way of knowing whether they suffered a data breach, since a hacker using Heartbleed can come and go without leaving a trace. Therefore, it’s a good idea for all online companies using OpenSSL to act as if they had been breached. Patch the hole in the program, tell your customers that you use OpenSSL, and recommend that they change their passwords. If you’re not sure whether your site is vulnerable, try entering the URL here (keep it to your own sites, there may be legal issues with checking others).

If your company does not use OpenSSL, but another SSL program, inform your customers that is the case. Otherwise, you will be suspect for no good reason (plus you’ll look like you are better protected than your competitors).

And for my clients, SeanMorrisonPLLC.com and the Virtual Law Office, and all other services I use to hold client data have been confirmed as secure or patched. Nonetheless, it’s still recommended that you change your password in the Virtual Law Office in case something happened before the breach.

Links

NYTimes – Flaw Calls for Altering Passwords, Experts Say

Washington Post – Heartbleed could harm a variety of systems

Tom’s Guide – Heartbleed: Who Was Affected, What to Do Now

Filippo.io – Heartbleed test