By Stephan Jukic
The Heartbleed vulnerability was recently exposed to public knowledge in the media and has received an enormous amount of attention from all over the news and media as a result. Given all the varying headlines, you might understandably be worried and puzzled as to just what the heck Heartbleed is and how you can protect yourself and your business from its dangers.
Well, look no further. In this post we’re going to cover exactly what Heartbleed is, what it means for you and your business, and how you can protect yourself in just a few easy to follow steps.
What is Heartbleed?
In essence, the Heartbleed bug, also more technically known as the CVE-2014-0160 vulnerability, is an encryption security weakness in the OpenSSL protocol for encrypting and protecting the privacy of data sent between different servers and computers on the internet. OpenSSL (Secure Sockets Layer) is used in roughly 17% of the world’s websites as a sheath of protective cryptographic protection that goes over the information these sites transmit to their users from their own servers.
Basically, when you visit your email, online banking or social media accounts, there is a very good chance that all of your passwords, private data traffic and other sensitive information on these sites are protected by OpenSSL.
The Heartbleed vulnerability fits into the picture in a particularly insidious way. It first showed up in December of 2011 and kept appearing from then on in successive updates to OpenSSL that ranged from version 1.01 to 1.01f. The latest of these was implemented by most OpenSSL protected sites in January of 2013.
What this means is that during all this time since the appearance of Heartbleed, the sites which were following GOOD digital security practices and regularly updating their communications encryption, were those which were making themselves most vulnerable to data theft!
In simplest terms, what Heartbleed does is expose the encrypted data sent through affected versions of SSL to easy theft by third parties (read: hackers, governments) using simple software exploit code.
To name just one recent example: an exploit that was revealed at around the same time as Heartbleed became public knowledge allowed hackers to force a website server into pumping out the latest information packets that it had sent via OpenSSL. A hacker using this exploit could then repeat the dumping instructions thousands of times over and thus collect all sorts of server data that includes passwords and other sensitive information from a single website server that might be serving numerous users.
What does Heartbleed mean for you and your business?
You have to understand that Heartbleed is just a vulnerability in the OpenSSL protocol that protects many millions of websites and hundreds of millions of their site users from data exfiltration; it’s not a hack attack by itself.
This means that you’re only in danger if:
- The sites you interact with are actually using the vulnerable versions of OpenSSL (there are other encryption protocols and many sites use these instead).
- Someone actually makes you a target of their attempts at stealing data through the Heartbleed weakness.
However, even with these conditions, you as a business owner are still left pretty open to worries about data breaches and the possibility of someone gaining access to your websites, client accounts and online banking information.
Luckily, you can protect yourself from Heartbleed quite easily through a process of several simple steps you can take right now.
How to Protect your Business from Heartbleed (and other vulnerabilities)
For starters and to cover all the major websites your business might be using for email, social media, online banking, ecommerce portals etc., take a look through this extremely handy chart that lists some of the biggest websites in the world and explains if they’ve been affected by Heartbleed or not, what they’ve done to fix the problem and what you should do to protect yourself in each case.
Of course, your business is also probably using many other websites that are too small or obscure to fit in the above chart, but because you’re sending important information over these sites too, you need to know if they’re also safe.
That is where this very useful tool comes into the picture. It’s a link to a Heartbleed vulnerability checker that lets you find out if any website you’re storing information with is weak because of Heartbleed. Simply type in a site URL and find out in seconds.
In case you want extra verification of your favorite websites’ weaknesses or strengths, you can also try out these other tools that do the same thing as the above Heartbleed checker:
- http://heartbleed.criticalwatch.com/
- https://lastpass.com/heartbleed/
If it turns out that any sites you’re regularly using are weak to Heartbleed, then you can do several things to lock up your information against a possible breach.
First of all, you need to immediately change all your passwords for those sites and keep changing them on a regular basis until the sites stop using a vulnerable version of OpenSSL.
In many cases, you can also take advantage of a password protection service such as LastPass to manage password protection for your list of most frequently used sites. Since LastPass uses their own constantly shifting proprietary password generation protocol over top of a client websites own pass management system, they will make your login information highly resistant to Heartbleed related intrusion.
Secondly, you can take advantage of two factor authentication (TFA) wherever it’s available for the hosting, banking, social media and email services your business is relying on. Most email providers such as Gmail, hosting providers such as Godaddy and Dreamhost and social media services such as Facebook, LinkedIn and Twitter all offer TFA options for their business and private users.
Because two factor authentication relies on out of band security through an independent channel for verifying your ID, it will make access to your private information immune to a Heartbleed derived hacking attempt.
In fact, two factor authentication is so powerful at protecting you from Heartbleed and almost any other information leak related security vulnerability that you should use it as an integral part of any online business assets (servers, websites, members only databases) that you own.
For this, digital security companies such as Authentify are available with their customizable two factor authentication services.
Again, because TFA makes access to sensitive information dependent on verification through a constantly changing one time pass key that’s sent specifically to your mobile device in most cases, having your passwords stolen by hackers will not lead to your site being compromised. This is the best kind of extra security your business can have against data intrusions.
Taking these steps will help you protect your business from Heartbleed and other security vulnerabilities, so don’t wait to get started.