Heartbleed is a software vulnerability that has taken the Internet by storm over the last week, when it was discovered on 7th April 2014 by a Google engineer and a software security firm called Codenomicon. Two-thirds of the Internet’s servers, and most of its users, are reportedly at risk. In this article we explain what Heartbleed is, and how to protect your business and your customers.
Why Is OpenSSL Important?
Open SSL is an open source encryption technology, which is used by most websites to secure content and user information, including usernames, passwords, email addresses and financial details.
What Is Heartbleed?
It is a flaw within the OpenSSL technology, which can have catastrophic security consequences if it is not dealt with professionally. Saying this, some organisations and users might have had their passwords stolen already. As the information is already exposed, there is the potential for cyber criminals to gain access to users’ passwords, use it to impersonate users on websites and get hold of further confidential information. The exploit itself has been possible since 2012, although it only became public knowledge in recent days. It is currently not known if cyber criminals have actually exploited this issue and, even if they have, there is little evidence to suggest so.
Has the Exploit Been Fixed?
OpenSSL released a fix to remedy the vulnerability on Monday 7th April 2014 although businesses and users still need to patch and re-key their services.
What Has Cyber-Duck Done?
Cyber-Duck takes Internet security very seriously and immediately (on Tuesday morning, 8th April 2014) installed patches to secure relevant servers and client websites that may have been at risk of being exposed. We are continuing to re-key client SSL certificates and monitor the situation. Besides this, our clients and their customers also need to change their passwords (read below).
Here are our top 4 tips so you can protect yourself and your business:
1. LEARN WHO HAS BEEN AFFECTED
Many popular websites and services have been affected by the Heartbleed issue, including: Google Gmail, Instagram, Tumblr, Yahoo, Pinterest and Amazon Web Services. Mashable produced a list of some of the major websites and services affected by Heartbleed and the current status of their vulnerability.
Many of the major websites have taken active steps to release security patches to fix and solve the issues. There are tools that help you to discover if your website has been affected by Heartbleed: simply enter the address of the website to find out if it has been compromised. You will need to check each website and web service your firm uses to ensure they have applied a patch BEFORE you change your password.
Note that Cyber-Duck has changed all of its respective passwords with Amazon Web Services, Github and Google Gmail. Cyber-Duck is advising its clients that use Gmail and Google Apps to change their passwords on all email accounts as a precaution (even though Google is not specifically asking users to do so).
2. CHANGE YOUR WEBSITE ADMIN (CMS/CRM PASSWORDS)
To help you protect your company’s data and website systems, we strongly recommend that you reset your admin content management system passwords. Note that Outlook/Microsoft clients are not affected.
If you are using a particular service which hasn’t patched its SSL certificate on its website (although in Cyber-Duck’s case this wouldn’t be applicable as we are doing this for our clients) it is probably best to postpone changing your passwords (and telling your customers to update theirs) as you may be exposing the new password to a third party. Instead, continue to check daily until the security certificate has been patched and re-keyed.
3. ASK YOUR USERS TO CHANGE THEIR PASSWORDS
Once you are confident the SSL certificate has been re-keyed and/or if the website has been compromised, we recommend that you ask your users to change their account password as an extra precaution.
We believe that its still advisable for you to tell your users to change their passwords even if your website has not been compromised. This is because users often share the same passwords from one website to another one. It could well be that their password for ‘your website’ is the same as on a vulnerable one. It is also advisable to tell your customers to refresh their cache and clear their cookies within their web browser’s settings section.
Feel free to edit the message below and send this email to your customers:
Note that this week a new Internet vulnerability called Heartbleed emerged that is affecting many web services that use OpenSSL technology including Amazon Web Services and Google Gmail. We haven’t found any issues on our website, but as passwords are sometimes re-used across multiple websites, we recommend that you change your password on our website www.clientwebsiteaddress.com
4. STORE YOUR PASSWORDS IN A SECURE PLACE
Another recommendation would be for you to use a password manager tool to safely store passwords locally. Here at Cyber-Duck we use Secret Server, which allows administrators to create their own passwords, analyse the strength of passwords or even generate secure randomised passwords.
Should you have any concerns with regards to Internet security or you are interested in performing security hardening tests on your website to assess its level of risk to a number of threats then get in touch with us by completing our contact form.