Wednesday, 23 April 2014

The Heartbleed computer bug: what you need to know



The Melissa virus. The Conficker worm. PoisonIvy. Fizzer.
The rogue's gallery of computer viruses, Trojan Horses, and vulnerabilities that lead to security warnings and public concern about the safety of their data is constantly growing. The latest perpetrator is the Heartbleed bug — a computer security vulnerability that came to public attention earlier this month.

Numerous companies now are both checking their own information technology systems to plug any such holes as well as reassuring customers they have nothing to fear. On its company blog last week, Pittsford print-related software and services firm Pharos Systems announced it had one customer using a custom version of a Pharos product that used software vulnerable to the Heartbleed bug.


"Pharos is working closely with this customer to resolve the limited risk situation," the company said, adding that it "is committed to the resolution of any security concerns of our customers and partners."
For the technically adept, Heartbleed takes advantage of a flaw in Secure Sockets Layer (or SSL) of open-source software OpenSSL.

For the rest of us, Heartbleed is a big deal and not something to ignore as it potentially makes users' passwords at risk.

"This was a very large-scale vulnerability," said Trevor Smith, executive vice president at Victor IT and computer security services firm Brite Computers.

So what exactly is Secure Sockets Layer and why should I care?
Think of computer communications — whether it's email or companies sending huge amounts of data — like a postcard, said Todd Colvin, director of data and systems security for Paychex Inc. "It travels from the sender to recipient, and anybody on the way could read the information on the back. That's an open communication.
The same is true for a good majority of the communications on the Internet. Any computer between point A and point B has an opportunity to review the messages. Where SSL comes in, it's a protocol to securely send information over." But if SSL is akin to a padlock on data being send over the Internet, Colvin said, "With Heartbleed vulnerability, people in between could potentially compromise the lock and the key used to encrypt the SSL message. If they intercept that, they can unlock it."

So is SSL itself bad? How does one even know if SSL is being used?
The vulnerability lies with one specific — though particularly popular — version of OpenSSL, said Colvin, who hastened to add that Paychex does not use the affected version of OpenSSL. "I don't want folks to look at OpenSSL and say it's not a good example of a product or solution."

One can tell if a particular service provider, such as your email provider, uses SSL just by looking at the URL of its website. If it says "https," that S "is the SSL underlying protocol to make sure sending-to-receiving computer, it's secure," Colvin said.

What should small businesses do?
Smith said businesses should immediately contact vendors — such as payroll services or customer relationship management services — and "find out what they're doing to shore up their applications and those services they provide to make sure they're not vulnerable.

Meanwhile, if a firm is internally managing its own IT infrastructure, it will need to identify and address whatever vulnerabilities it might have, Smith said. But if that work is outsourced and cloud bases, data protection is part of the contract with that provider.

So what should individuals do?
 "I'd go to the service providers you use to find out who's addressing this issue — how they're responding to it," Smith said. "The other thing to do is change passwords. It's a good idea to change your password anyway on a frequent basis."

Numerous workplaces have employees change passwords every 30 or 90 days. "You should do the same thing as your own personal goal," Smith said.

While changing personal passwords "is frustrating, it provides an additional layer of security," Paychex's Colvin said. "I recommend to folks they look at complexity and uniqueness. There are known lists of easily identifiable passwords an attacker can use. And if you discover a company you've done business with is vulnerable, you might want to change your password now and do it again in a week or so" when the vulnerability presumably has been boarded up.

0 comments:

Post a Comment