Everyone has been abuzz this week with news of a shockingly dangerous security flaw affecting a myriad of websites throughout the whole Internet. Let’s talk about it.
What is Heartbleed?
Essentially, there are many websites that use OpenSSL software to make data transmissions secure. This software is designed to protect the privacy of secret keys used for X.509 certificates, user names and passwords, and confidential communications, including but not limited to instant messages, emails and business critical documents.
The discovery of the Heartbleed Bug has changed everything. This security hole has apparently been in existence in current versions of the OpenSSL software (unpatched OpenSSL 1.01 or 1.02beta) since early 2012. The problem is that, currently, it is possible to access the secret keys that encode everything, and then use them to decode private information such as photographs, usernames, passwords, addresses, credit card & banking information, and more.
Fortunately for humanity, well-meaning researchers believe that they have been the first ones to catch wind of the vulnerability, rather than anyone with malicious intentions. However, it is impossible to tell.
Knowing about the security flaw and fixing it are two different beasts. Collectively, everyone on the internet has a lot of work to do before the risk has been completely eliminated – at least, everyone who uses OpenSSL on their sites.
For our technically-inclined readers, here is a more in-depth description of the situation, according to Heartbleed.com:
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
What does this mean for inConcert’s clients?
Our clients have nothing to worry about, because inConcert’s servers are running on an operating system that is based on RedHat Version 5. This version of RedHat is shipped with a version of OpenSSL that is not affected by the Heartbleed issue that is currently going around. So if you operate a secure site, you do not have to worry about passwords of accounts that belong to you or your users, as they are still as secure as they were before this issue was found.
What can I do to protect myself personally?
The most important thing you can do is to pay attention. Check to see if you have accounts on any vulnerable sites. If you do, you need to find out whether the site’s administrators have fixed the vulnerability yet – many websites already have. After the vulnerability is fixed, then you must change your password. If you change your passwords before the vulnerability has been fixed, your data is still at risk.
You may want to think about deleting or closing your accounts on vulnerable sites that you do not use. This will reduce identity theft risk for the future. The fewer places that have your information, the less likely it is that you will be affected.
It’s also (always) a smart idea to monitor your credit cards carefully. Seeing unauthorized charges is often the first clue in any identity theft case, and swift reactions pay off. If you’re feeling really paranoid, call your credit card companies and ask for their assistance in securing your account. If you are issued a new card with a new number, then all of your online accounts will have outdated credit card information, which will not work for anyone who has stolen it.
The fixed version of OpenSSL has already been released. Those who must act first include operating system vendors and distribution, appliance vendors, and independent software vendors. Once they have upgraded their OpenSSL software to a safe version, they must notify all their users that they have done so. Then, service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
What sites have been affected?
All websites that use unpatched OpenSSL 1.01 or 1.02beta have been affected. You can test your server here. Recent scans have shown that as many as 630 out of the 10,000 most popular websites were vulnerable.
A wide variety of popular sites have been affected, including:
- Yahoo
- OkCupid
- Imgur
- Flickr
- Picmonkey
- Us Magazine
- and about 624 more…
However, it’s still a good idea to change your passwords regularly for all of your accounts.