A major global security flaw has been discovered in an encryption method used on about two-thirds of all websites, including Google, Amazon, Yahoo and Facebook, potentially exposing web traffic, user data and stored content to cyber criminals.
The “heartbleed bug” was found in the OpenSSL software by a team of security engineers last week, leaving technology companies scrambling to fix their systems before it was announced on Monday night.
There is so far no evidence that a hacker has exploited the flaw, which has made systems vulnerable for up to three years. However, it is paramount that we all take necessary measures in order to ensure the safety of confidential information.
OpenSSL has released an update to repair the flaw and companies must update their software to be safe.
Google said it had fixed the flaw in key Google services and Facebook said it had added protections before the issue was publicly disclosed. Amazon Web Services, whose clients include sites from Netflix to Unilever, said it had applied “mitigations” so customers did not need to act. Yahoo said it had “made the appropriate corrections” to its main properties and was working to fix its other sites.
But even those who fix the software cannot necessarily see if a hacker has already used the vulnerability to access their systems. Netcraft, which monitors what code is used in each site, said more than half a million trusted websites were vulnerable to the bug. Wondering if your favorite sites are vulnerable? Filippo Valsorda, a consultant who specializes in cryptography and security, has created a Heartbleed test tool that you can use to check your favorite websites.
Matthew Prince, chief executive at Cloudflare, a company that provides a security barrier for about 5 per cent of web requests, said it had fixed its encryption after being alerted last week.
“This is very bad and it may be extremely bad,” he said. “This is one of the really bad internet bugs ever.”
Mr Prince warned that the flaw could affect “almost everyone” as the software is used by more than 60 per cent of all websites. He said the flaw could have allowed hackers to read everything in a computer’s memory.
As a consumer, what can I do?
Web server administrators are frantically patching their systems to protect against this vulnerability. However, many are suggesting that it's still very critical that you change absolutely every username/password combo you use on the internet in order to better protect yourself and your information from being vulnerable to cybercriminals. Note that just changing your password does not mean you are now safe. Web server administrators must first correct the Heartbleed within the server to ensure no further information can be leaked.
Although it is unknown at the moment if information was actually taken as a result of this vulnerability, it is extremely important that consumers monitor their payment cards and report any suspicious activity to their banks immediately.
As a business owner, what can I do?
First and foremost get in contact with your IT department and ensure that your servers have not been affected by the Heartbleed or have been patched. Taking any other steps without stopping the bleed will do nothing to protect the confidential information that you have been trusted with by your customers.
Secondly, make your customers aware of the situation. If you maintain a username and password database of customers, require that they change passwords on their next login.
And finally, educate your employees and monitor business transactions to ensure that out of the ordinary transactions are not processed without further investigation. For example, if you usually do not receive orders over $2,000 and one comes in for $7,000 then you should contact the issuing bank of the card to ensure the funds are available and the cardholder is the one facilitating the transaction. If you are an e-commerce business and cannot view the back of the physical credit card, contact your merchant services provider and they will obtain the information for you.
Is there a bright side to all this?
For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can be rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.