How does the Heartbleed bug affect your business?
Friday, April 18, 2014
If you've followed the tech world in the last two weeks, chances are that you've heard of the Heartbleed bug. According to various sources since it was confirmed April 7, the bug is a massive threat that puts nearly every piece of personal information on the Web at risk for theft, an overblown hazard and something that will "slow the Internet to a crawl."
But what exactly is Heartbleed, how serious is the risk, and how will it affect your business?
In order to understand Heartbleed, it's necessary to comprehend OpenSSL, the open-source security library software used for encryption in an estimated two-thirds of the Web's servers. At its most basic level, the software keeps other users from viewing information such as passwords when being transmitted to your computer to the website's servers.
The Heartbleed bug aptly attacks the OpenSSL feature nicknamed "heartbeat." With that function, the server to which a user is transmitting data sends back the exact same data as a precaution before moving forward.
Under the Heartbleed bug, the hacker exploiting the flaw does not receive the same information back, but a 64 KB message in return that contains user data. Since the message typically returns usernames and passwords, changing passwords on commonly-accessed websites has been recommended.
But this is obviously not a permanent fix if the site has not been patched, as Google, Yahoo and Amazon have been. Various tools on the Internet have been released to check if your information is still at risk on the Web. If popular websites haven't yet patched the bug, it is likely they will do so soon.
Yet, dangers remain for other devices and servers.
"Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating," Lieberman Security President Philip Lieberman told The Guardian.
Patches are trickling out for hardware, but at much less of a rate as the big websites. Once released, business and home users need to take every precaution to make sure any piece of network equipment that uses OpenSSL is safe. And the full list of devices at risk may not be known yet. Industry giant Cisco Systems has continued to update its list of vulnerable products, now at more than 80.
On April 16, it was confirmed to industry website Ars Technica that VPN networks using the popular OpenVPN app with OpenSSL are also vulnerable after a test server was successfully attacked. This means that a hacker could impersonate a VPN server and decrypt information being transferred. However, businesses can protect against this possibility by using TLS authentication.
For the mobile world, Android systems running 4.1.1, or Jelly Bean, are still at risk. While that's not the most recent Android OS, there are still an estimated 50 million smartphones worldwide. In the U.S., an estimated 19-25 percent of mobile Web traffic comes from devices using Android 4.1.1. But according to Marc Rogers from mobile security firm Lookout, there's not a reason to ditch that Android or get a new phone quite yet.
"Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don't expect to see any attacks against devices until after the server attacks have been completely exhausted," Rogers wrote to Bloomberg.
For now, the worst of the Heartbleed bug appears to be limited to 900 stolen insurance numbers in Canada, a theft for which a 19-year-old in that country has been arrested.
While the danger has not quite completely passed, updating to the most recent OpenSSL version, using new encryption keys and having any external users update their passwords can put businesses in a better position to handle this most recent cybersecurity scare.
- Interior Design, Furnishings & Fixtures
- Business Management, Services & Risk Management
- Science & Technology
- Breaking down barriers to make career and technical pathways accessible for everyone
- 8 exercises for strengthening your business writing
- 10 negative employee behaviors that undermine success
- Millions of high school students set for success: Celebrating Career and Technical Education Month
- Selling your business? What tenants need to know about their lease
- Will kids affected by the digital divide be ready for next school year?
- How can educators promote self-direction, independence during remote learning?
- Back to the future with Ford bioplastics
- How COVID-19 might affect the commercial real estate market
- Associations: An indispensable partner to members
- Webinar for new dentists examines what makes humans happy
- Infographic: A look back at the evolution of data and cyber protection
- How much inequality is enough?
See your work in future editions
Your content, Your Expertise,
Your Industry Needs YOUR Expert Voice & We've got the platform you needFind Out How