Heartbleed May Cause You Some Heartache

If you’re thinking “Heartbleed” sounds serious, you’re right. But it’s not a health condition. It’s a critical flaw in OpenSSL, a popular software program that’s used to secure websites and other services (like VPN and email). If your company relies on OpenSSL to encrypt data, take steps to fix the problem and limit the damage. Otherwise, your sensitive business documents and your customers’ personal information could be at risk.

About two-thirds of all web servers use OpenSSL, so it’s safe to say the small coding error recently discovered by researchers has big implications. The error, which has been in place for over two years, makes it possible for a hacker to grab information that’s supposed to be protected. Vulnerable web servers can be tricked into revealing random bits of data over and over, until the hacker gets something juicy, like the server’s encryption key.

Armed with the encryption key, a hacker can monitor all communication to and from a server — including usernames, passwords, and credit card information — or create a fake version of a trusted site that would fool browsers and users, alike. Worse yet, the hacker leaves no trace, so it’s nearly impossible to know the extent of the damage caused by Heartbleed. 

What can you do? Talk to your IT staff to find out if your websites, networks, or other applications use OpenSSL. Remember that even if your public website isn’t vulnerable, you might have other applications that are — like your email server. There are details about the problem and the solution at heartbleed.com.

If you have systems that are affected, here are some steps to discuss and implement with your IT team:

  1. Update to the newest version of OpenSSL and reboot servers.
  2. Generate new encryption keys according to your systems’ instructions.
  3. Get a new SSL Certificate from a trusted certificate authority to signal to web browsers that your site is safe and secure.
  4. Notify your employees and customers. Once your systems have been secured, tell your employees and customers to change their passwords for any system that was affected. If they use the same passwords on any other sites, they should change those, too.

If you have business partners or contractors that provide technical services or support, you also will want to confer with them to address any problems in their systems.

Whether or not your business uses OpenSSL, it’s likely you’ll have personal accounts that are affected by Heartbleed. Don’t log in to sites that are affected until you're sure the company has patched the problem. If a company isn’t forthcoming — confirming a fix or keeping you up-to-date about progress — contact customer service and ask. Once the company confirms that the site is secure, log in and change your password. Going forward, it’s a good idea to monitor your bank and credit card accounts for changes you don’t recognize — especially over the next few weeks.

Comments

Sites are being horribly forthcoming. Even sites that claim to be unaffected are using weasel words which give no confidence. The FTC should do what it can go get all sites to make unambiguous, easily findable public statements as to whether they are or aren't affected. People should not have to dig through websites, Facebook or call customer service in an effort to get a clear answer. See [URL removed] (unaffected) as an example of how it should be done.

Add new comment

Comment Policy

Please enter a username. Don't use your email address.
Image CAPTCHA
Enter the characters shown in the image.

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.