In a jaw-dropping report on PCMagazine published less than a week ago, security analysts at Google and Codenomicon revealed that there is a major bug (aka the “Heartbleed” bug) in OpenSSL, which is a standard way web data is encrypted between users and servers.
After all the talk about Target and other data breaches, consumers may have become a little desensitized to data breaches, which is unfortunate because the implications of the Heartbleed bug could be much larger than the data breaches at Target and other major retailers.
We'll go into more detail below, but here are the three most important things you need to know about Heartbleed:
- The Heartbleed bug is a security flaw that could expose massive amounts of user info.
- There is a simple fix for OpenSSL: download the new version. Heartbleed.com has the details. IT companies need to do this ASAP.
- Some data may have already been exposed, so it's smart for you and your clients to choose new passwords for online accounts.
Scary Details in the Heartbleed Bug Show Across-the-Board Vulnerabilities
Is the Heartbleed bug a new data breach? Not exactly, but its impact could be much, much larger.
As we mentioned, the Heartbleed bug is actually a flaw in a common security protocol called OpenSSL. OpenSSL encrypts data that is sent online. When you log in to a your bank or a Gmail account, OpenSSL makes sure that no one can read your data as it travels the Internet. But it's actually a secondary function of OpenSSL that causes the Heartbleed problem.
OpenSSL has a function that allows web host servers and users to send "heartbeats," or pings, back and forth to each other, sending little messages to see if the user / server is still there. These heartbeats are where things get interesting.
Security researchers found that hackers can actually mimic this heartbeat function. A hacker can send a signal that is disguised to look like a heartbeat sent from a server. The user's computer receives the signal and assumes it came from the server of a website it visited.
Unfortunately, these signals can act like a wolf in sheep's clothing. Hackers can send malicious signals, which cause the user’s computer to divulge the data that is stored in its RAM. You read that correctly. When hackers ping a user's computer, they will get a bunch of user data – some of it might be passwords, credit card information, and other highly sensitive information.
Even worse, hackers also get the cryptography keys that are used to lock data sent between users and the servers. Theoretically, this means that other private data sent between a user's computer and a server would no longer be private.
To put it bluntly, the Heartbleed vulnerability means that the old version of OpenSSL could have been hacked easily to get access to almost any data that a hacker wanted. Unbelievably, this flaw went undetected for two years.
What Should You Do about the Heartbleed Bug?
The first thing you need to do is to change your passwords. Mashable posts this helpful infographic that shows how many of the major websites were affected. If you have accounts at Google, Facebook, Yahoo, Tumblr, Intuit, GoDaddy, and other websites, you should change your passwords immediately.
Chances are your clients and their employees have an account at one or more of these places. As an IT consultant, you should immediately inform your clients about this issue and get them to use new passwords. (For tips on password best practices, see our security recommendations in "Client Education Resources for Fighting Data Breaches.")
You'll also need to update OpenSSL software on any web hosting servers you have or maintain. Both Apache and nginx use OpenSSL, so both need to be updated ASAP.
IT consultants, security administrators, network admins, and other IT professionals can be sued for not advising their clients about this potential danger and not acting quickly enough to update OpenSSL. When you fail to meet a professional responsibility, lawyers call it "professional negligence," and it's one of common reasons IT professionals can be sued.
E&O Insurance: A Policy to Protect You from Software Flaws
The Heartbleed bug might be the latest and largest software flaw to make news, but as IT professional, you know that soon enough, we'll read about another major flaw in software everyone once thought was perfectly secure. That's the sad truth of the IT world.
It's a risk that you share simply by working in IT. While data breaches, outages, and other flaws might be caused by someone else's software, clients can actually sue you over these incidents. Errors and Omissions Insurance covers these lawsuits as well as other lawsuits about professional negligence, software bugs, and alleged mistakes in your work.