If youÛªve ever submitted any kind of private or sensitive information to a websiteÛÓincluding usernames, passwords, credit card numbers, social security numbers, addresses, and phone numbersÛÓthis security alert applies to you.
This week, security researchers discovered a serious vulnerability in the OpenSSL encryption software. Two-thirds of all websites use OpenSSL, as do many email, instant messaging, and virtual private network (VPN) services.
These services use OpenSSL to establish an encrypted connection between them and the user (or between two or more users) to prevent the data transferred between the two from being intercepted.
Usually, not all of the pages on a website that uses OpenSSL are encrypted. Just the pages that require a secure connection. Like those where the users input their usernames and passwords or submit their credit card information.
The Heartbleed Bug Explained
The vulnerability in question has been nicknamed the ÛÏHeartbleed Bug,Û since it is located in the code for the ÛÏheartbeat extension,Û a part of OpenSSL that controls how long a secure connection can remain open.
A hacker could use this vulnerability to gain access to OpenSSLÛªs encryption keys. Which could then be used to intercept and decode all data sent to and from the service.åÊ As well as steal access to any existing info stored in the serviceÛªs databases.
Therefore, not only could a hacker with the OpenSSL encryption keys of a website intercept any data (usernames, passwords, credit card info, etc.) you send to the site after itÛªs been hacked. The data that you submitted to the site in the years before the infiltration occurred is also at risk.
The first version of OpenSSL to include the ÛÏHeartbleed BugÛ was released in December 2011. In addition, exploits of this vulnerability donÛªt leave any trace. So, itÛªs impossible to tell if a hacker has ever used the vulnerability to intercept or steal data from a certain website.
How to Protect Yourself From the HeartBleed Bug
The ÛÏHeartbleed BugÛ in no way affects any of IronOrbitÛªs hosted solutions, our website, or any of the systems that we use to process and store your payment information.
In general, though, here is what you need to do in order to protect yourself from this vulnerability:
- Make sure that a site is secure before you send any of your sensitive data to it. You can use this app to check if a site has a secure version of OpenSSL.
- Make a list of all of the websites that youÛªve ever sent sensitive data to. Change your passwords for these websites only after youÛªve confirmed that they are running a secure version of OpenSSL. Or alternatively, that they never used the insecure version of OpenSSL.
- Find out if your companyÛªs website used or is using OpenSSL versions 1.01 through 1.01f. If it is, update OpenSSL to version 1.01g immediately. Then, replace your encryption keys, and ask any users that your site has to reset their passwords.
To ask for assistance in responding to the ÛÏHeartbleed BugÛ or for more information, IronOrbit users should contact IronOrbit 24x7x365 technical support at [email protected] or (888) 753-5064.