One year after the Heartbleed vulnerability appeared, exposing passwords and encryption keys online, Heartbleed has still not bled out. Yet, while there is still a threat of sensitive information being leaked, many people seem to have already forgotten about last year’s attack on the websites that they thought were secure.
To refresh your memory, Heartbleed is a vulnerability in Open SSL, a program which is used to encrypt data in transit over the internet, allowing sensitive data to be transmitted securely. Heartbleed was named after the heartbeat function which allows a server to send a signal at regular intervals to another server to verify that the other server is still online. The flaw allows the heartbeat to bleed additional information along with the signal, including credit card data, Social Security numbers, passwords and other sensitive information that is in the site’s memory, as well as encryption keys.
Why are there still websites that are vulnerable to Heartbleed? When the Heartbleed vulnerability was discovered, sites needed to be updated to the newest version of Open SSL to correct the flaw. Many owners of sites using the old versions of OpenSSL rushed to patch the vulnerability and users of these sites were instructed to change their passwords that had been exposed. However, Heartbleed also leaked the certificates and the encryption keys used to sign those certificates. The encryption keys enable attackers to decrypt past and future traffic to the website with the flaw. As reported by TechNewsWorld, larger organizations with many servers may not have had the time and capability to change all of the keys. If the key is not changed, the “attacker can use the key to spoof a site or perform a man-in-the-middle attack.” “As applications, virtual machines and servers are replaced, new keys will be created.” Until that time, Heartbleed will continue to bleed out slowly.
What can you do to protect your sensitive information?
- Use a different password for each site you access online. If your password is compromised on one site, it cannot be used to access another site.
- When you finish using a website, log out. Don’t just close the window.
- If you have the option to use “two factor authentication” on a site, use it. If your password is compromised, the attacker will not be able to gain access to your information without the second factor.
News about vulnerabilities that enable cyberattacks continues to alarm companies that rely on the Internet to conduct business. Keeping your data secure is a very real concern. Big Idea Technology takes this concern very seriously. We keep our clients’ software and hardware updated with the latest security patches and inform our clients’ about ways to protect their data. Call us to learn how we can protect your company’s data, and be sure to subscribe to our blog to stay informed about technical issues that may affect your company.