Heartbleed’s been garnering a lot of press in the past month, and with good reason: with over a half-million websites affected and tens of thousands of routers, storage servers, firewalls, video cameras, and more vulnerable to the bug, it’s one of the largest security flaws discovered in the history of the commercial Internet.
But what is Heartbleed and how can it affect your small-business?
In a short talk given to the Woodstock Chamber of Commerce SOHO Group, Mike addressed two key areas every small business should still be concerned with since the disclosure of Heartbleed:
- How the Heartbleed bug could affect your business website and its ability to interact securely with your customers and
- Three simple steps you can take to protect your Office and Staff from Heartbleed-related vulnerabilities
This article contains notes and links from the presentation given on May 7, 2014.
If you have any questions, please feel free to Contact Us!
Some Facts and Tech Stuff
Before getting into how to protect yourself from Heartbleed, it’s a good idea to know a little about how what it is and how it works with a few quick facts:
- Heartbleed is a software bug in the OpenSSL library. OpenSSL is an open source toolkit used to implement the encryption that helps secure websites by way of the SSL (Secure Sockets Layer) and TLS protocols (Transport Layer Security).
- At the time of Heartbleed’s disclosure (April 7th), approximately 17 percent (about half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the OpenSSL bug.
- Only OpenSSL was affected – and only certain versions of it. Specifically, versions 1.0.1 through 1.0.1f contained the bug. Versions 1.0.1g and later and 1.0.0 and earlier, were NOT affected.
- Likewise, other libraries used to implement SSL/TLS such as GnuTLS were not affected. Also none of Microsoft’s server products were affected by Heartbleed.
- Heartbleed is a play on the word “Heartbeat” because OpenSSL uses something called a Heartbeat Request message used to help keep a connection open – usually text – that is sent to a receiving computer (a webserver) and then that exact same string should be sent back to the sender. That message being sent has a length assigned to it by the sender – for example 400 characters – and the affected server then allocates memory for the return message – a memory buffer – that’s based on the length of the message being sent.
- However, the Heartbleed bug allows the sender to craft a message that claims to be a certain size, but the payload – the text – within the message is much smaller than the claimed size, so the server sends back whatever characters were in active memory to fill up the remaining buffer.
- Technically Heartbleed is known as a buffer over-read: meaning the server allows more data to be read than it should.
Small Business Website Concerns
One week after Heartbleed was made public, in a test of 9000 sites running WordPress, security firm WordFence announced that over 1% of those WordPress sites utilizing SSL Certificates – approximately 4100 – were still vulnerable to Heartbleed.
But it’s important to note that this number represents only a SMALL sampling of active sites! And it also only represents websites running WordPress — a single CMS. However, there are a wide variety of Content Management Systems out there used by Small and Big business alike as well as countless sites that have been customized from the ground up, so we should assume the number of sites still vulnerable to Heartbleed remains very high.
What does this mean to you the Small Business Owner?
- IF you’re vulnerable, attackers could potentially gain access to your site’s management tools and database.
- Attackers could intercept communications with users who securely submit forms to your site – including customer Credit Card information.
ESC! Technologies Group actively scans the sites of our clients who subscribe to our WordPress Maintenance Plans for vulnerabilities, and Heartbleed became one of those vulnerabilities we look for after it became public.
To ensure the integrity of your small business website, be sure to check with the developer of your site OR your hosting company to see if you’re vulnerable and what should be done about it.
In general, however, if your site utilizes the OpenSSL library, the process you’ll need to go through to ensure the security of your site is:
1) Patch your server if it’s using a vulnerable version of OpenSSL
2) Revoke and Reissue the SSL/TLS certificates for your site
User Level Concerns – 3 Simple Steps
As an end user concerned about the security of their accounts, it can be confusing to figure out what passwords should be changed and which password don’t need to be touched.
But as you make that determination, it’s important to note that Heartbleed attacks made against a server vulnerable to the bug can NOT be detected! So when you receive that email from a website or vendor alerting you to change your password even though the site has seen “no evidence that any user information or data has been compromised”, just know that they wouldn’t have seen any evidence!
Change your password!
Of the Top 100 sites (according to Alexa) tested in the week after Heartbleed was made public, 34 of them were listed as having had the vulnerability, but since patched. 40 were listed as not vulnerable, and the rest had yet to be determined.
Some of the vulnerable sites included:
Google, Yahoo!, Bing, Dropbox, Etsy, Facebook, Flickr, GoDaddy, Instagram, USPS, Vimeo, Yelp, and YouTube.
Not vulnerable included:
Amazon, Apple, Bank of America, Chase, Constant Contact, eBay, FedEx, HootSuite, LinkedIn, Microsoft, PayPal, Twitter, UPS, and … Target.
So what can you do to protect yourself?
It comes down to 3 simple steps:
If a site was affected and patched, change your password.
If a site uses SSL/TLS to encrypt your communications, but you’ve not heard one way or another if they’ve been affected OR if they patched the vulnerability, DON’T log on to their site!
This is especially important when visiting Small Business sites or sites you’ve previously not done business with.
Verify the site hasn’t been affected using one of the tools listed below or wait for the patch to be applied and then change your password.
Two tools ESC! Technologies Group recommends for storing your passwords, 1Password and LastPass, can now actively check your saved sites for vulnerabilities, so if you’ve not yet upgraded to the latest releases of these excellent tools, you should do so today.
This last step bears repeating: Don’t use the same password on more than one site!
If you used the same password across multiple sites, you’ll want to change passwords on both sites formerly vulnerable as well as those that weren’t.
Tools you can use to check if a website is vulnerable include:
LastPass Heartbleed Checker
Qualys SSL Labs has an SSL Server Test at
Check for Hardware Vulnerabilities Too!
The Heartbleed bug extends well beyond web servers because many embedded systems also utilize OpenSSL.
Some examples of hardware vulnerable to Heartbleed include: routers, security cameras, cloud storage devices, hardware firewalls, printers, and video conferencing systems.
Specific examples found to be vulnerable include:
- Apple’s newest AirPort Extreme and Time Capsule
- The Nest thermostat
- Western Digital My Cloud storage devices
- WatchGuard and FortiGate firewalls
- And HP printers
The good news is that many of those devices are behind home and business routers and firewalls, but even still, some that reach out to the Internet to allow remote access – like the HP printers and the My Cloud — will need to be patched as soon as an update is available.
Also good is that many devices utilizing OpenSSL use an older version of the toolkit that’s not vulnerable to the Heartbleed bug.
SO if you have Internet connected devices OR you use a router to connect your office to the Internet (you do), check with the manufacturers:
1) To Find Out if your device vulnerable
2) If a Patch – or a workaround — is available yet, and
3) Apply that patch as soon as possible.
Sources Used to Prepare the Presentation: