Heartbleed is a security flaw in OpenSSL, a widely used data encryption standard, that gives hackers the ability to extract data from inside the stream of communication that would normally be considered secure. The vulnerability was detected by researchers including an analyst for Google. Specifically the Heartbleed vulnerability is in the machines that power services that handle secure transactions for banking and shopping, as well as those that transmit more mundane communications such as Facebook and Gmail. Because the OpenSSL is on the host side of the environment, the hackers need only utilize the hack on the host side and they are able to skim information from all the users/machines that connect. This makes Heartbleed a little unusual in that there is little a consumer can do to avoid the problem. Rather, the burden is on the host (the bank, the store, the e-mail service) to update their systems that use OpenSSL.
As of this writing (April 10, 2014), there are no reports of hackers actually having used Heartbleed to obtain information. However, per researchers the attackers could have infiltrated these websites, extracted the information they wanted and left no trace of their presence.
For clients of ESG, we have two items to note regarding Heartbleed:
- All of ESG’s client services are protected from this risk as they do not utilize OpenSSL. This includes our most widely used ESG Hosted Exchange 2013 and ESG LiveDrive products.
- The only two 3rd party services ESG recommends that are currently known to be at risk are Google Apps and Dropbox. For both of those, we recommend you change your login information soon.. and as always we recommend you continue to change your login information monthly or quarterly. Should you need any help with either of these 3rd party services, contact us.
For users and consumers in general, we recommend reading these two excellent articles on Mashable:
- The Heartbleed Hit List: The Passwords You Need to Change Right Now
- How to Protect Yourself From the Heartbleed Bug
Also this article on CNET provides a listing of the top 100 services and their exposure:
If your business is notified by a 3rd party provider that their systems or software uses the OpenSSL and as such they recommend you take action, please reach out to us for assistance. The seriousness of this vulnerability, and the implications since it is host-dependent (meaning the responsibility of your business if you host OpenSSL websites/software), mean you should act quickly to protect your business and your customers.
Update on April 11, 2014: Latest reports indicate that the NSA may have been using this exploit to spy on American citizens.