What it is and what it affects
Heartbleed is a vulnerability in OpenSSL, the open source software that provides for encryption of data in transit between two points across a network, and estimated to impact up to two-thirds of the Internet. The vulnerability is remotely exploitable (i.e. can be exploited from anywhere with specifically crafted network packets) and when exploited, gives up data that would otherwise be considered confidential such as encryption keys, usernames and passwords, and subsequently any information accessible using those such as PII, PHI, and credit card data.
Michael Mathews, Ph.D
What businesses should do
A new version of OpenSSL has been released to fix the vulnerability, but because the vulnerability originates from a flaw on the server-side, the fix must come from the server-side and is not something consumers or end-users can do. Each business offering services to its clients that make use of OpenSSL must remediate its servers/services to protect its consumers’ data privacy and confidentiality. Major software vendors including operating systems, appliance vendors, and common applications that bundle OpenSSL with their application are releasing updated versions. It is incumbent on businesses to be proactive by:
- Using a tool like Qualys or engaging us to perform testing on their environment to determine the scope of servers/services affected.
- Contact the vendors of the affected applications to determine whether a new version is already available or, if not, when it will be.
- Deploy the updated version as soon as is feasible.
- Communicate to consumers/clients/customers to let them know the issue has been addressed.
How to protect yourself personally
The nature of the vulnerability and the lineage of OpenSSL’s version history indicate that the flaw has been present for approximately two (2) years. During that time, it is conceivable that an attacker could have exploited a service that you use and potentially have compromised your username and password for that service, gathered PII about you to potentially use for identity theft, harvested credit card or other financial information, etc. While there is nothing to be done about the data potentially harvested already, in order to prevent the potential for someone in possession of that harvested data from logging into your accounts and either getting more data or posing as you to engage in social engineering or affect some financial gain, it is prudent for consumers to take appropriate action as follows:
- Passwords for all websites used or accessed in the last two years should be on the list to be changed, but it’s important to evaluate the server/service in question to ensure that it is no longer vulnerable to Heartbleed PRIOR to changing the password.
- Visit https://www.ssllabs.com/ssltest/ and test the URLs for services/servers in question.
- Wait for the grade to be returned — as long as the server/service returns a grade of B or better, that server/service is OK for step 3. Anything lower than that and the server/service needs to have remediation prior to proceeding. Keep monitoring and change the password once it gets a passing grade.
- Log into that server/service and change your password.
- For any sites that support two-factor authentication, you should enable it (two-factor authentication is becoming more mainstream as social engineering and phishing attacks become more frequent).
One last item to consider is that since the large scale effort of changing many passwords is required at this point, it’s worthwhile considering adding a password manager (such as 1Password) to your workflow. This approach provides the flexibility of generating truly unique and complex passwords randomly for each and every different site you use while giving you access to automatically populate them on demand using a single master password so you need only remember one password.