
The “Heartbleed bug” (formally named CVE-2014-0160) is a critical security bug discovered in some versions of OpenSSL (a piece of software that provides encryption on a large number of websites throughout the world). This bug can be exploited by hackers to read bits memory from of a protected server. The exposed memory could contain anything including usernames, passwords, security keys, emails, or anything else on the server. When the bug is exploited to steal data, there is no trace or evidence left behind. The bug was discovered in April 2014 and a patch was immediately released, leading website providers to scramble to apply the patch. It is unknown who was aware of the bug before April 2014 or if anyone actually used it to steal data.
This article focuses on the impact of Heartbleed on Computer Courage customers and our general business and consumer advice related to Heartbleed. For more general reading on Heartbleed, see the links at the end of this article.
What Our Customers Should Know and Do
Computer Courage Managed Hosting & Support customers: Our secure web servers (used for our own site and our Managed Hosting customer sites) were not affected by the Heartbleed bug as we were never running the vulnerable versions of OpenSSL. There is no need to change your website passwords or be concerned about your website’s information being exposed.
Business IT customers: It is important to review the web-based vendors your company uses and to create a plan of action for each vendor. Some vendors such as Google and LastPass are not recommending any user action (no password resets) but others are recommended password changes, and sometimes even more involved work (such as AWS or BlueHost customers who may have to re-key their SSL certificates). We recommend that you contact us to set up a Heartbleed consultation, or follow the general advice listed in the next section.
Residential customers and general public: The full impact of Heartbleed is yet to be seen, but you can take some action now to protect yourself. The best action you can take is to review the list of websites you log into and determine whether the site was exposed to Heartbleed or not, and whether they have patched the bug if affected. Once you build your list, we recommend changing passwords for all sites that were affected and are now patched. If any sites you use are still affected, we recommend filing a complaint with the site vendor and then checking back every few days, not using the site in the meantime.
You can check to see if any given site is patched by using one of the Heartbleed checker tools at the bottom of this article.
It is harder to determine whether a now-secured website ever was affected by the bug. The most safe course of action is to assume that any given site was affected and change your password, but you can also rely on the word of the vendor. You can visit the vendor site and search for Heartbleed, or Google the site’s name with the term Heartbleed. Finally, you can check the LastPass checker or the Mashable list (links at the end of this article).
Once you do decide to change some passwords, please consider implementing Two Factor Authentication, and consider using a secure password manager such as LastPass. Computer Courage is available to help set up either of these with you.
More Resources and Information on Heartbleed
- A website dedicated to Heartbleed with a great FAQ: http://heartbleed.com/
- An excellent Heartbleed checker from LastPass: https://lastpass.com/heartbleed/
- Another excellent Heartbleed checker: http://filippo.io/Heartbleed/
- A good summary of Heartbleed’s exposure on major websites: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
- A great article explaining how Heartbleed works in plain English (with pictures): http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work#E5357695