Month: April 2014

SECURITY WARNING: The OpenSSL ‰ÛÏHeartbleed Bug‰Û

If you‰Ûªve ever submitted any kind of private or sensitive information to a website‰ÛÓincluding usernames, passwords, credit card numbers, social security numbers, addresses, and phone numbers‰ÛÓthis security alert applies to you.

This week, security researchers discovered a serious vulnerability in the OpenSSL encryption software. Two-thirds of all websites use OpenSSL, as do many email, instant messaging, and virtual private network (VPN) services.

These services use OpenSSL to establish an encrypted connection between them and the user (or between two or more users) to prevent the data transferred between the two from being intercepted.

Usually, not all of the pages on a website that uses OpenSSL are encrypted. Just the pages that require a secure connection. Like those where the users input their usernames and passwords or submit their credit card information.

The Heartbleed Bug Explained

The vulnerability in question has been nicknamed the ‰ÛÏHeartbleed Bug,‰Û since it is located in the code for the ‰ÛÏheartbeat extension,‰Û a part of OpenSSL that controls how long a secure connection can remain open.

A hacker could use this vulnerability to gain access to OpenSSL‰Ûªs encryption keys. Which could then be used to intercept and decode all data sent to and from the service.åÊ As well as steal access to any existing info stored in the service‰Ûªs databases.

Therefore, not only could a hacker with the OpenSSL encryption keys of a website intercept any data (usernames, passwords, credit card info, etc.) you send to the site after it‰Ûªs been hacked. The data that you submitted to the site in the years before the infiltration occurred is also at risk.

The first version of OpenSSL to include the ‰ÛÏHeartbleed Bug‰Û was released in December 2011. In addition, exploits of this vulnerability don‰Ûªt leave any trace. So, it‰Ûªs impossible to tell if a hacker has ever used the vulnerability to intercept or steal data from a certain website.

How to Protect Yourself From the HeartBleed Bug

The ‰ÛÏHeartbleed Bug‰Û in no way affects any of IronOrbit‰Ûªs hosted solutions, our website, or any of the systems that we use to process and store your payment information.

In general, though, here is what you need to do in order to protect yourself from this vulnerability:

  • Make sure that a site is secure before you send any of your sensitive data to it. You can use this app to check if a site has a secure version of OpenSSL.
  • Make a list of all of the websites that you‰Ûªve ever sent sensitive data to. Change your passwords for these websites only after you‰Ûªve confirmed that they are running a secure version of OpenSSL. Or alternatively, that they never used the insecure version of OpenSSL.
  • Find out if your company‰Ûªs website used or is using OpenSSL versions 1.01 through 1.01f. If it is, update OpenSSL to version 1.01g immediately. Then, replace your encryption keys, and ask any users that your site has to reset their passwords.

To ask for assistance in responding to the ‰ÛÏHeartbleed Bug‰Û or for more information, IronOrbit users should contact IronOrbit 24x7x365 technical support at support@Ironorbit.com or (888) 753-5064.