Heartbleed: The New Web Security Flaw

heartbleed1 A major web security flaw, known as “Heartbleed,” was recently identified. It may affect up to two-thirds of the Internet’s web sites, exposing sensitive data to potential hackers. With news sources all abuzz with coverage of Heartbleed, Safety Net would like our clients to have a better understanding of this new bug.

Heartbleed is the result of a coding error with OpenSSL, the most popular method of encrypting web sites, email servers, and applications. This error could provide access to web servers where sensitive data like usernames, passwords, and financial details are stored. It also allows potential attackers the ability to impersonate servers or decrypt communication.

A security patch has been issued to address Heartbleed. However, experts say that before the patch, sensitive data on major web sites such as Yahoo, Dropbox, Etsy, Facebook, Google, Tumblr, and YouTube could have been exposed.

To mitigate the risk of further exposure, stay off the affected web sites until that provider has implemented the patch. At this point, many major web sites have done this and updated clients via their sites or through email. If your company uses third-party website services for business processes, such as e-commerce, request a patch status from them. Once you’ve confirmed these services have been patched, change your online passwords.

A serious bug, like Heartbleed, serves as an important reminder of the steps that can be taken to be more secure:

  • Don’t assume you’re not at risk – In this case, even OpenSSL, the most widely-used Internet traffic encryption application, was compromised.
  • Clear your browsing history, session keys, and session cookies frequently and don’t opt for the “save my password” option in your browser.
  • On mobile devices, log out of all apps and log back in, thus clearing the tokens storing your information.

Note: Safety Net is actively checking with all of our vendors and believes that the Windows-based systems we use are not affected. Also, OpenSSL is not typically used on the Microsoft-based web servers, therefore Microsoft technology should not be affected by this vulnerability. Please contact a member of our Support Team if you have additional questions regarding your business.