The Heartbleed Bug: What You Need to Know

Atlantic IT Heartbleed Bug banner

Perhaps you have heard of the OpenSSL security issue known as “Heartbleed” and are worried about your passwords and other sensitive data. You are right to be concerned – this is a major issue affecting most Internet users and businesses.

The issue involves a flaw in OpenSSL, software that is used to encrypt sensitive information on the Internet. OpenSSL is commonly found in websites that use the HTTPS protocol for secure communications, indicated by a padlock icon in the browser. The Heartbleed bug can compromise the secret keys used to identify trusted systems and encrypt information, enabling hackers to steal sensitive data.

The good news is that the bug has been fixed. However, it is up to individual website owners to implement the change within their systems. Many major websites have done so, but smaller organizations may take more time. It doesn’t help to change your password or take other action until the specific site has eliminated the bug.

Any Atlantic-IT.net web services you may be using are not vulnerable and no action needs to be taken with respect to these services. This includes hosted Exchange email and hosted SharePoint services, Atlantic-IT.net’s Email Shield anti-spam service, your remote access web portal and Atlantic-IT.net’s monitoring and management tool. Additionally, your firewall may have the ability to prevent access to sites that have the vulnerability.

Please note that LogMeIn Free, LogMeIn Pro and LogMeIn Central were vulnerable to the Heartbleed bug and have been patched. See this web site if you use one of those products: http://blog.logmein.com/products/important-update-logmein-pro-central-users.

Check with your service provider to determine if any of your web sites are vulnerable. You should also take the following actions for other web sites and web-based services you may use:

  • Immediately change your password on these sites: Facebook, Instagram, Pinterest, Tumblr, Yahoo, Amazon Web Services, Box, Dropbox, Github, IFFT, Minecraft, OKCupid, SoundCloud and Wunderlist. (Google and PayPal were not affected.)
  • Check this list of popular sites to determine the status of other sites you may use. (Note that only 48 of the 1,000 sites tested were found to be vulnerable.)
  • Set your browser to check for revoked site certificates. This is an important function for protecting against the Heartbleed vulnerability. Once a vulnerable site has fixed the security issue, they will revoke their old certificates and implement new ones. Your web browser must be configured to reject the old certificates. Please see this page to ensure your web browser is set correctly: http://192.185.97.52/~atl4nt1t/wordpress/wp-content/uploads/2014/04/Atlantic-IT-set-browser-revoked-SSL-certs.pdf.
  • Share this information with your business partners, customers and others with whom you exchange sensitive data. Their sites may be vulnerable, which could impact your business. If they do not have an IT provider, we will be glad to assist them.
  • Once a vulnerable site has been fixed, change your password immediately. If you change your password before the vulnerable site has been fixed, you will need to change it again after they fix it.

This is also a good opportunity to review your password policy and ensure that your team is following best practices:

  • Use strong passwords at least eight characters long using a mixture of letters, numbers and special characters.
  • Use a different password for each site/application.
  • Don’t write your passwords down or share them. Instead, use a good password manager to keep track of your various passwords, such as LastPass, which has free web-based and for-pay mobile versions.

As your outsourced IT department, Atlantic-IT.net is here to help keep your business secure. Please let us know if we can answer any questions or be of further assistance.