As word spread about the Heartbleed security bug that allows hackers to steal usernames, passwords and other data from supposedly secure websites, Joe Silverman immediately started getting calls from worried customers. The owner of New York Computer Help, a New York City-based computer support and service business, has heard from numerous business owners worried their own data and that of their customers may have been hacked.
Silverman quickly offers advice and tries to alleviate their fears: The first step is to check for vulnerability—not all companies are at risk. Businesses need to determine whether they have secure servers, which typically have URLs beginning with “https://,” that may be running the OpenSSL software that has the bug. “It’s not like every website is affected,” Silverman notes. His company, for instance, has only one secure server, which he uses to provide a cloud computing service.
Fortunately for many users, most Web hosting companies either don’t run OpenSSL or they have updated versions of the software that don't include the bug. Still, a company with a Web hosted secure server should check with the hosting firm to see if there is a vulnerability and if it has been addressed.
If your business is operating a secure server in-house, you should have that server checked immediately for the bug. Because businesses may be less vigilant about applying updates, in-house servers may be more vulnerable. Software vulnerability on an in-house server can be checked with an online diagnostic tool, such as this one from Quality SSL Labs. A quick search of the Internet will turn up other similar tools.
“Basically, we tell them to check if they’re on the vulnerability list,” Silverman says. After checking his own cloud service server, he found it was secure.
Time for a Hardware Checkup
In addition to the secure server software bug, some hardware, such as routers, may also have the same vulnerability in embedded software. Businesses should check with the manufacturers of the routers, firewalls and other Internet networking devices they use. The information is or probably will soon be available on manufacturers’ websites. Cisco Systems, for instance, has posted a security update that includes a list of its products that have been found to contain the vulnerability.
Next, if the software has the bug, it can likely be repaired with a free patch that updates the pertinent version of OpenSSL to OpenSSL 1.0.1g. The patch will repair the vulnerability. Some users who can't apply the update patch may have to modify their software to prevent hackers from exploiting the bug, according to OpenSSL.org.
In some cases, if the bug is embedded in hardware, the patch won't work. In that event, the devices themselves may have to be replaced, says Charles Tendell, CEO of Denver-based Azorian Cyber Security. “It depends on the hardware they’ve got,” Tendell says. Few hardware manufacturers have announced whether their products have the bug, but more are expected to do so, along with providing fixes for the problem.
Getting Customers Involved
If your company’s servers have the bug, after fixing it, you should notify any customers who've used your secure servers to change their passwords. While many businesses have been doing just that, it's important to remember that not every business needs to—only the small number of businesses that have the vulnerability should do this.
“Now is not the time to panic or initiate major overhauls in passwords,” says Robert Siciliano, a security expert with McAfee. “Consumers should change their passwords, and businesses should work with their Web hosts and make sure all systems are secure.”
After all software and devices have been checked, patches have been applied or devices have been replaced, and customers have been notified, what next? Many business owners will also be getting notices from companies they do business with, whether as consumers or businesses, that they need to change passwords.
And that probably won’t be the end. At the very least, more hardware manufacturers will be making announcements, addressing the bug, and more fixes will be coming out. “We’re going to be hearing a lot more about Heartbleed and this bug for quite some time,” Tendell says.
Even after the Heartbleed threat passes, eventually another similarly unprecedented security issue will surface, Siciliano predicts, due to the complexity of technology and the demands of cyber-security. “There’s no such thing as 100 percent security,” he says.
Despite Heartbleed's designation as one of the most serious computer security threats ever, Silverman still considers it readily manageable. In fact, he's not even changing all his passwords. “I am not caught up in this hype at all,” he says. “I’ve checked my servers, and for our customers, everything’s fine.”
Read more articles on technology.