Heartbleed Hack Impacts You Too

There is a zero-day attack (meaning there was no patch) that allows attackers to bypass your encryption. Attackers can bypass your website’s security, as well as access all of the information you thought was “secure” at the websites you use – like banking sites.

What to do:

First: Ask your web application designer to patch OpenSSL if your site uses OpenSSL (about 85% do). Consider telling them to “get new keys” for your site in case your old keys are already stolen.

Second: Reset your passwords on the websites on which you care to keep your information secure. Know that the web site’s you’ve been visiting may have already been compromised, and will remain compromised until those sites fix the problem. Once they fix the problem, you need to reset your password again.

LastPass created a tool that will allow you to see if a site is susceptible to Heartbleed. Visit: LastPass

Websites, perhaps including yours, that use encryption, may be completely vulnerable. Attackers can access the “keys” that are used to securely lock your data during transit. Once the attacker has the keys, they can read sensitive data from your site and use the keys to bypass your protection. Without getting technical, this relates to sites that use the “s” as in https:\\websitename.com vs. sites that aren’t encrypted http:\\websitename.com

Additionally, until the websites that you visit apply their fixes too, your information will be vulnerable too. This includes shopping sites, banking sites, and other sites that you trust. Not only do the sites need to patch the security holes, they need to register for brand new “keys.”

Please post your comments below ….


3 Comments

  • Joe H April 10, 2014 at 1:26 pm - Reply

    Thanks for putting this out. However, please realize that the link you provide for the tool that can supposedly tell you is not reliable. This exploit exists starting at version 1.0.1 of OpenSSL, the heartbeat function being introduced at 1.0. Versions prior (and many people are running prior version) don’t have this issue. 0.9.8 is very popular and does not have this vulnerability. The link you provide does not seem able to discriminate the actual exploit.

    • Mike Foster April 10, 2014 at 1:41 pm - Reply

      Thank you Joe! It is good to know that LastPass might be overzealous with their tool. – I want the executives reading this blog to contact their own developers who will be performing the remediation anyway. If anyone else wants to know what versions are affected, as Joe already knows, and what operating systems are affected, etc. there is a good site heartbleed.com that has more details.

      Additionally, I want to encourage everyone to always update to the latest versions of their tools. Though using an “old version” of OpenSSL would have not been affected by this very serious problem, newer versions of tools often protect against a number of vulnerabilities as well. “To patch / upgrade or not to” is one of those decisions that Executives need to make (how much risk are you willing to accept vs. what is the benefit) and it needs to be an “informed decision.”

  • Bob Alfson April 10, 2014 at 1:46 pm - Reply

    Mike’s right. Those of us in the Internet Security business have been working on this all week as have all of the security administrators at all of our customer sites. Although most sites have been patched to prevent further attacks of this nature, the work has just begun. Everything has to be changed because the theft of information would have been accomplished LEAVING NO TRACE. There may have been nothing taken, but there’s simply no reason to assume that any password or private key wasn’t stolen.

Leave a Reply

Your email address will not be published. Required fields are marked *