Over the past few weeks, you may have heard some chatter about a security vulnerability named “Heart Bleed.” Not surprising.
According to the Sydney Morning Herald, the Heart Bleed security flaw has exposed tens of thousands of businesses to attacks by malicious hackers.
And as with any security scare hitting the web, businesses want to know “should we be worried?”
The short answer? Yes. The long answer? Read on to find out how Heart bleed can harm your business, and what you should do about it.
What is the Heart bleed bug, and How Does it Work?
Heart Bleed is software vulnerability that allows malicious hackers to access a range of network-connected devices and illegally gather passwords, usernames, encryption keys and personal information.
The vulnerability exists in OpenSSL software used by tens of thousands of businesses running open source web servers including Apache and nginx. The attackers’ goals are to gather sensitive information to gain unauthorized access to websites and networks. This data can then be sold to third parties.
Furthermore, malicious parties are able to:
- Impersonate a website while suppressing alerts about invalid certificates
- Decrypt all communication between your computer, tablet, phones and any online service
How do I know if I’m vulnerable?
The fact the websites that you probably use on a daily basis have reacted very quickly to the bug is great, but because the Heart Bleed bug has been around for close to two years, there is a reasonable risk that your usernames and passwords may have been previously compromised without your knowledge.
You may have noticed that some sites you’re registered to may have logged you out as a security measure.
What are some services that have been affected?
Fortunately for many businesses, Microsoft products do not utilise the OpenSSL encryption mechanism. As such, it is extremely unlikely that your computer usernames and passwords were compromised when logging onto your company’s webmail, computer or virtual private networks.
The major Australian Banks have also released statements indicating that there exists no risk to their financial software and databases.
The bad news is that approximately two-thirds of the Internet runs systems using OpenSSL, and the likelihood of you having an exposed account is high.
A few of these are:
- Google, including Gmail
- Tumblr
- Yahoo
- GoDaddy
- GitHub
Unconfirmed, but likely:
- Apple
- eBay
Mashable have also put together a fairly comprehensive list of web services that have been affected by Heart Bleed. Check out the Mashable Heart Bleed article here.
How can I protect my business from the Heart Bleed bug?
As with most wide-spread security vulnerabilities, the developer community has mobilized to educate and address the bug to minimize the extent of its damage.
It’s extremely important that you contact your IT service provider (or department) and ensure that your network is protected from the Heart Bleed vulnerability. In the majority of cases, service providers have proactively patched the vulnerability, but a phone call is a clever precaution.
A further step would be to revisit your business password policies. Passwords like “password123” are not going to cut it, and we strongly recommend mandatory password changes every 30 days.
For web-accessed software (think Gmail, MailChimp, your Sydney Morning Herald account, etc), we recommend using password management software such as LastPass. LastPass enables users to use a single Master Password to protect the tens (or hundreds) of website user credentials.
The added benefit to using LastPass is that their software can identify websites you use that have been compromised by the Heart Bleed virus, making it easier for you to know whether your data is at risk.
If you re-use the same passwords across multiple websites, you may still be vulnerable. If you don’t routinely change your websites’ passwords, it’s possible that even your customers’ information may have been accessed.
Make sure that you select a new, secure password, and that you don’t re-use the same password across multiple websites. If you think your network may have been compromised by the Heart Bleed bug, get in touch with us today for a free consultation and simply call (02) 8412 0000.