As you may or may not have heard, a new security vulnerability, called Heartbleed, has been discovered that affects a substantial amount of the internet’s websites, but also private corporate systems and networks.

This note is intended to provide a high-level summary of the risk and what the impact may be to you or your company’s systems. For an in-depth technical summary, please contact our office.

First, there is no need to panic, although the vulnerability is real, and now that it is publicized, the risk of hackers exploiting Heartbleed has increased.

What is the issue?

Many systems that provide secure connections over the internet, including Yahoo, Google and others as well as corporate/private systems, firewalls, VPN systems, custom web services use something called “OpenSSL” to enable the secure connection. A bug in OpenSSL has been recently discovered that would let a hacker download small pieces of information from a server that could compromise its security and give the hacker access to usernames, passwords and other sensitive information. The bug has existed for 2 years, but was very recently discovered by security researchers and announced on Monday, April 7, 2014. Since part of the security component includes something called a “heartbeat” and the bug can cause secure data to leak from the system, security researchers named the bug “Heartbleed”.

Has there been widespread data loss?

At this time, this appears to be a widespread vulnerability that has existed for two years, but no reports of widespread data loss have been published. That doesn’t mean no data loss has occurred though. Now that the vulnerability has been announced publicly, it is likely that the volume of hacking attempts will increase quickly.

Has the vulnerability been fixed?

Yes and no. The publishers of OpenSSL have released a new version that solves for the vulnerability. Manufacturers now need to take that version and provide updates for their systems. Once those updates are available they must be applied to systems that are in place at companies and hosting providers.

What do I need to worry about?

As a Business Leader, you need to ensure that your systems are not vulnerable, and if they are, apply the updates when available to make your systems no longer vulnerable. Also, if you have systems collocated or hosted at external providers, you need to verify that the providers are doing the same thing and will verify that you are no longer impacted.

For our READY-IT(™) clients, our Engineering & Support teams have been reviewing the status of your firewalls, intrusion prevention system and VPN settings to determine which devices need a firmware update. Rest assured that our teams will take care of scheduling and implementing the updates as soon as the manufacturers make them available. In many clients’ cases, no update is necessary.

As an individual, you need to learn about which systems you use are/were vulnerable, and change your password for any system that has been fixed. Most providers are automatically logging you out of your account with them and then instructing you to change your password. Updating your password is a must, but only after the website’s providers have patched their servers to remove the Heartbleed exploit.

Fortunately, several websites such as mashable.com have put together a list of sites, whether or not they are affected by the Heartbleed vulnerability, and if they have been patched. See mashable.com/2014/04/09/heartbleed-bug-websites-affected/  for more information

You can also manually check a single website’s vulnerability status by going to lastpass.com/heartbleed/.

IMPORTANT: If you get an e-mail from a provider instructing you to change your password due to this issue, we highly recommend that you do not click on the link provided, but rather log into the websites by typing in their web address (URL) into your browser and then go to your account settings and change your password. The reason we do not recommend clicking on the link in the messages is because there are phishing scam emails being sent to computer users that attempt to acquire your log-in credentials by appearing to be an e-mail from a legitimate site. For more information about phishing scams, see this prior post.

Closing Remarks

We hope you find this high-level summary useful. Although this is a significant vulnerability, a well thought out, reasonable but diligent response plan is all that is necessary. If you would like assistance in assessing your firm’s vulnerability or mitigating the threat, please call us at 610-276-5500 or send an email to support@interphasesystems.com.