On April 7th, a new bug was discovered on the internet that’s putting millions of users’ personal data at risk. Given the name “Heartbleed bug,” it’s capable of allowing hackers to collect information while you believe you are securely browsing a SSL/TLS website. Since SSL/TLS is so widely used, it’s very probable that your personal data is at risk.
What the Heartbleed bug essentially does is render privacy in the OpenSSL cryptographic library obsolete. Two of the biggest and most publicized websites affected that utilize OpenSSL security are sites associated with Google and Yahoo. These sites are getting the most media attention in regards to Heartbleed, but the fallout actually goes beyond these two sites and touches on every single website that uses OpenSSL security–which equates to more than two-thirds of all websites in the world!
The Heartbleed bug only applies to version 1.0.1 and 1.0.2 of OpenSSL. This vulnerability allows hackers to obtain private keys needed to view, and even steal, private information associated with a user’s breached account. If your online accounts are affected and your identity is stolen, then you will be in for a world of heartache.
At this point, you and millions of users around the world are asking the big question, “How could something like this happen?” Apparently, the problem lies not in the SSL/TLS specifications, but rather, the vulnerability stems from an implementation problem. It turns out that a programming mistake is responsible for leaking information from services and applications using OpenSSL. Typically, a bug of this nature is detected and fixed as soon as it’s found (which is why it’s so important to update your software). However, this bug wasn’t taken care of, and to make matters worse, this particular bug has been exposing sensitive data to hackers going all the way back to December 2012.
How do you know if you’ve been hit by the Heartbleed bug? Unfortunately, you can’t know for sure. The bug leaves no trace of a hacker’s activity, which means that you won’t know that you’ve been hit until:
The number of websites affected is pretty large. To help you find out if a website that you frequently use is compromised by the Heartbleed bug, check out this list from GitHub.
You can also enter the websites that you frequent into this Heartbleed bug checker from LastPass. This tool will inform you if the website in question has applied a security patch or not.
If you have accessed an affected site over the past two years, you should change your password immediately. In fact, because of threats like the Heartbleed bug, it’s a best security practice to regularly switch out old passwords for new ones. We recommend doing this exercise once per quarter.
To find out for sure if your company has been breached by the Heartbleed bug, you can give Quikteks a call at (973) 882-4644. We can arm your business with our Unified Threat Management tool, which is the top enterprise network security solution on the market. Reach out to us today to find out more.