I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed. Talk to your IT folks about this sooner rather than later:
By Nicole Vincent Fleming
April 11, 2014 – 4:23pm
If you’re thinking “Heartbleed” sounds serious, you’re right. But it’s not a health condition. It’s a critical flaw in OpenSSL, a popular software program that’s used to secure websites and other services (like VPN and email). If your company relies on OpenSSL to encrypt data, take steps to fix the problem and limit the damage. Otherwise, your sensitive business documents and your customers’ personal information could be at risk.
About two-thirds of all web servers use OpenSSL, so it’s safe to say the small coding error recently discovered by researchers has big implications. The error, which has been in place for over two years, makes it possible for a hacker to grab information that’s supposed to be protected. Vulnerable web servers can be tricked into revealing random bits of data over and over, until the hacker gets something juicy, like the server’s encryption key.
Armed with the encryption key, a hacker can monitor all communication to and from a server — including usernames, passwords, and credit card information — or create a fake version of a trusted site that would fool browsers and users, alike. Worse yet, the hacker leaves no trace, so it’s nearly impossible to know the extent of the damage caused by Heartbleed.
What can you do? Talk to your IT staff to find out if your websites, networks, or other applications use OpenSSL. Remember that even if your public website isn’t vulnerable, you might have other applications that are — like your email server. There are details about the problem and the solution at heartbleed.com.
If you have systems that are affected, here are some steps to discuss and implement with your IT team:
- Update to the newest version of OpenSSL and reboot servers.
- Generate new encryption keys according to your systems’ instructions.
- Get a new SSL Certificate from a trusted certificate authority to signal to web browsers that your site is safe and secure.
- Notify your employees and customers. Once your systems have been secured, tell your employees and customers to change their passwords for any system that was affected. If they use the same passwords on any other sites, they should change those, too.
If you have business partners or contractors that provide technical services or support, you also will want to confer with them to address any problems in their systems.
Whether or not your business uses OpenSSL, it’s likely you’ll have personal accounts that are affected by Heartbleed. Don’t log in to sites that are affected until you’re sure the company has patched the problem. If a company isn’t forthcoming — confirming a fix or keeping you up-to-date about progress — contact customer service and ask. Once the company confirms that the site is secure, log in and change your password. Going forward, it’s a good idea to monitor your bank and credit card accounts for changes you don’t recognize — especially over the next few weeks.