The media has been buzzing over the last week about the Heartbleed Bug, a security flaw that lets anyone on the Internet read the memory (including passwords) of the systems protected by vulnerable versions of the popular OpenSSL security software.
Why It's Dangerous
What makes this flaw so dangerous? Attackers can, in theory, eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. While a "fixed" version of the software was released, an estimated 500,000 of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack when the flaw was discovered, allowing theft of the servers' private keys and users' session cookies and passwords. (For the record, there have not yet been any reported attacks using the bug.)
As the Washington Post is reporting, efforts to fix the bug may cause major disruptions to the Internet over the next several weeks as companies work to repair encryption systems on hundreds of thousands of websites at the same time.
Estimates of the severity of the bug’s damage have mounted almost daily since the bug was announced, and the situation seems to be getting worse. Just recently, experts determined that skilled hackers may be able to use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over personal information.
The Associated Press noted that two of the biggest makers of networking equipment, Cisco and Juniper, have said that some of their products contain the bug, but experts warn that the problem may extend to other companies as well as other Internet-connected devices. Both Cisco and Juniper are advising customers through their websites on which product is still vulnerable, fixed and unaffected. Owners may need to install software updates for products that are “fixed,” and should be diligent about installing any software updates they receive.
What You Can Do
So how does this affect your business? As Forbes.com very bluntly put it: "If you are a business owner and run a website, your website may have been compromised and your customers’ information may have been stolen." Hackers could also impersonate your website (even after you have patched the bug), the story notes, and capture future visitors’ information by pretending to be your business.
Here are Forbes' tips on how to protect your business:
1. Check to see if your websites are using OpenSSL. If so, read instructions for the latest OpenSSL patch here.
2. Check all of your websites and your partner websites to see if they are vulnerable. Here are two tools that can check a website by entering the url address:
3. If compromised, revoke and reissue any encryption keys.
But while you may be able to fix your website's security system, any downtime or crashes can cost you serious money. As Forbes noted in a follow-up article, if customers can’t log on to a business' website, the business may lose business now and in the future. A new Forbes Insights report (in association with IBM) entitled “Fallout: The Reputational Impact of IT Risk,” found that lost revenues, downtime and the cost of restoring systems can accrue at the rate of $50,000 per minute for a minor disruption.