Whole of last week, the internet was abuzz with the “Heartbleed” bug. It even had its own logo! The Heartbleed bug is a security hole in the popular OpenSSL software which is used for securing most of the internet’s traffic. This security vulnerability has been around since 2012 and its discovery was publicly disclosed only recently.
The bug enables hackers to steal vital data such as credit card numbers and passwords. Apart from these hackers can also lay their hands upon the secret cryptographic keys right from the server! These keys can enable the hacker to impersonate even secure sites which makes it the most dangerous bug ever in the age of internet. OpenSSL immediately released an emergency patch on the day of the announcement.
With all those online banking and shopping, should you be concerned? Well, this is a tricky one to answer. While it is not known whether the hackers were cognizant of this flaw, we better be safe than sorry. It is also difficult for businesses to estimate whether they have been compromised. A large number of websites have already patched up the OpenSSL bug and yes, this includes your CIMM2 server http://cimm2.com/cimm2-and-heartbleed/. You can breathe easy as CIMM2 does not rely heavily on OpenSSL. You can also check if your business’s website and other sites you frequent is patched for heartbleed here – https://lastpass.com/heartbleed/
Mashable has also created a handy hitlist here – http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
We at Unilog highly recommend that you reset the password for the sites you access regardless of the patch just to be on the safe side.
Bracing for future vulnerabilities
Many websites now use the two factor authentication (most popular among financial institutions). This makes the security layer fortified. In these kind of security flaws, there is very little once can do. But you can be alert and safeguard against such future vulnerabilities by:
- Using multiple passwords for different sites
- Changing password religiously every few months
- Avoiding storage of all passwords in a single place without a master passcode
- Logout of sites so that any hacker would be forced to log in
- Use a difficult to hack password by using a mixture of upper and lower case letters, numbers and special characters.