The internet is broken. Yours and your customers’ personal data may be at risk. And you need to take action to fix it yourself.
A common technology for managing data encryption, called ‘OpenSSL’, has been leaking data that should have been protected; and the bug has only just been discovered by mainstream developers despite it being an issue since 2011. About a third of all websites which encrypt data use this technology.
Firstly, it is crucially important that you understand why the Heartbleed bug (as it has been nicknamed) is so different from other security issues. Under normal circumstances, a simple software update or ‘patch’ is enough to remedy a bug. However, as we explain below, the nature of SSL/TSL encryption means that this kind of bug is not so easily fixed.
What is SSL/TSL supposed to do?
You will know if you have ever been on a secure web connection using SSL/TSL because you will have seen the padlock symbol appear in your browser and the web address would have gone from having ‘http’ at the beginning to having ‘https’ instead. Without getting too technical, SSL/TSL encryption is a means by which any data (e.g. usernames, passwords, personal details, social updates, financial details, private documents etc) can be protected.
That protection works by generating ‘keys’. Those keys are lines of code that act like ciphers to encrypt and decode data. If anybody gets access to those keys, they can duplicate them and use them to access all of the data in the source website including login details and other sensitive information.
What is Heartbleed?
The Heartbleed Bug was discovered on Monday earlier this week (7th April, 2014). The official name for the bug is CVE-2014-0160, where ‘CVE’ stands for Common Vulnerabilities and Exposures.
It is a problem relating back to the implementation of OpenSSL technology back in 2011. The bug essentially means that the technology leaks what should have been protected data including encryption keys. All a person needs to do to get access to that data is find the leak… and many people have with surprising ease since the bug’s initial discovery.
The official heartbleed.com website says the following:
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
To reiterate… stolen data could include anything from business critical documents to personal details and even financial records.
But perhaps the most worrying thing about the Heartbleed bug is that there is no way to trace whether or not it has been exploited. If you have OpenSSL encryption on your website, data from your website could have been stolen (potentially many times over) and you will never know.
How to stop the leak
1. Go to filippo.io/Heartbleed/. Type in your full website address and hit the ‘Go’ button. In a couple of seconds the page will tell you whether you are affected or safe.
2. If you are affected, the first thing you need to do is update your encryption from the old buggy OpenSSL to a new fixed version of OpenSSL to renew your keys. Feel free to ask us for more information.
3. Once that has been done, you need to change all of your passwords for logging into the site. It is important that you update your OpenSSL keys and encryption first so people with the old keys will not be able to access your new password(s).
4. Now that your website’s admin logins are secure, tell all of your customers to update their passwords for accounts on the site.
5. If you collect, store or process any credit/debit card or PayPal details (or similar), you need to make your customers aware that those details may have been jeopardised. As such, you should ask them to consider updating their financial details just to be safe.
Finally, you need to consider whether any of your own data may have been jeopardised on websites you use! Yahoo, Google, OKCupid, Netflix, Avast, GitHub, FitBit and a range of other major websites (including many hosting and IT security companies!) have been affected. Any data you have stored on those websites was vulnerable and you should update your passwords and other details, just in case.
The impetus is solely on you to take the necessary action. The Data Protection Act states quite clearly that you must do everything within your power to protect sensitive data. Now that you know about the bug, you need to fix it sharpish.