Heartbleed is a major security hole on Internet Web sites. Whenever you access a web site to log in or type credit card information, the site “encrypts” your data so it is secure as you type it. You may notice the difference between “http” and “https” in the web site address in your browser. The “https” means the web site is encrypting the connection between you and the site so the information you type can only be read at both ends, and not captured in the transmission. The same technology is also used in many VPN connections, so if you connect to a network remotely you might also be affected.
The Heartbleed security hole takes advantage of a security flaw in OpenSSL, which is one of the common technologies behind those “https” pages. A hacker exploiting the flaw would be able to gather the decryption keys to decode data sent back and forth between you and the web site. That means your confidential information and passwords!
The really bad thing about Heartbleed is that your information could have already been compromised before the web site was patched and the security hole was fixed. Changing your password on an unfixed site doesn’t help, because the hackers can just obtain your most current password. The key to protecting yourself from Heartbleed is knowing when the site has been completely patched, and then changing your password immediately after that.
Popular sites such as yahoo.com, gmail.com, and even some big name banks were affected by this hole. It wasn’t just obscure sites. In fact, as of the date of this article, gmail.com is still not completely fixed!
What can you do as an individual to protect your information? Use a testing tool for each web site you use that either has a login page or where you type confidential information such as credit card numbers. Copy the link for any secure web pages (such as login forms, cart checkout forms, etc) from your browser into the testing tool. Remove the “https”, the colon, and the two slashes from the address. For example, https://gmail.com simply becomes gmail.com. An accurate testing tool is here: http://possible.lv/tools/hb/. Simply type in the web address and let it do its thing. If there is any red in the results, the site still is not completely patched and you should contact them and ask when it will be. If everything is green, it won’t tell you if the site was compromised previously. This is when you should change your password.
What about credit card numbers? Unfortunately, if those were compromised and stolen from an unpatched site at any point in the past, there’s not a lot you can do other than watch your statements for any unusual activity and report it to your credit card company. It would be a good idea to test sites for the next several months before your type credit card information into them, and don’t do it if they are not fully patched.
There is a lot of debate about how serious this flaw is and how much data was actually compromised. It is probably more serious since its discovery, because more bad guys know about it. If your company has any technology that is remotely accessible via the Internet, you should have it checked for this flaw and it should be immediately patched. NDYNAMICS can help with this, give us a call.
