Heartbleed

Subscribe to Heartbleed

For the last Monday in April, we have a few privacy and security bits and bytes to start your week.

Trending Now – 5 Things Every Company’s Data Security Program Should Include

JD Supra Perspectives has published a short article (disclosure: quoting this author) that can get people talking this week. Get it here and circulate it.   The 5 things could jump start your own data security program.

Tech Heavy Hitters Fund Open-Source Project

By now, you likely are aware that the Heartbleed bug originated in a coding error in OpenSSL — an open-sourced Secure Socket Layer program.   Open source is good code in most respects, having been contributed to and tested by hundreds of experienced users.   But therein lies the problem as well.   There is no real QA.  Code is contributed and usually uploaded on the fly and bugs are reported by the user community with fixes also contributed.   The Washington Post reported that a group called the Core Infrastructure Initiative will pull together companies including Amazon, Cisco, Facebook, Google, IBM, Microsoft, Intel and others.  Each company has agreed to pledge $100,000 per year over the next three years to fund this initiative to help prevent pervasive security vulnerabilities in the future.

In the interim:  make sure you know what open source code your developers are using and how that code can affect your end users and customers.

Read more here – The Washington Post (registration may be required)

 

 

 

 

There has been so much news swirling in the data privacy and security world in the last few days, that it has been difficult to keep up.    We’ll give you a roundup here for your Friday and weekend reading.

Heartbleed – Where Are We?   

By now, you should know whether your web-facing applications (customer log-in, secure web portals, shopping carts) were affected by the Heartbleed vulnerability, and patches should have been applied.    If you have not checked into this yet, you can test your URL at any number of sites, but here is one.  Test it now!

  • Upgrade any software using OpenSSL to the latest, patched version. (should be done)
  • Communicate with any hardware and software vendors to ensure they’ve also upgraded. 
  • Once that is secured, have everyone within your company change their passwords, or notify customers that passwords should be changed.
  • Explain to employees and customers what you are doing and what you have done to take precautions against this bug.
The second bullet was the biggest nut to crack for many this week.  Make sure that your network appliances (routers, conferencing, any hardware/software that connects to the Internet) are all checked.  SANS (the security institute) has been keeping a running list of Heartbleed vendor patches and communications.  Many vendor sites also are posting technical communications with updates and notices regarding the availability of upgrades, patches or hotfixes.  Further, many enterprises don’t know how many sites they own, such as external cloud-hosted sites, sites acquired via mergers and acquisitions – and temporary sites that everyone forgot about.   All of those should be checked for the Heartbleed vulnerability, because if the door is open, it could allow malicious intruders in.   Just ask Canada’s Revenue Agency or the UK’s popular site, Mumsnet.

Continue Reading Privacy & Security Bits and Bytes

Last week was certainly the “week of the Heartbleed.”    Unless you have been on vacation on a remote island (and if so, good for you!), you have heard and read much about the latest mass bug to infect the Internet.

If you do not know whether your servers are affected by Heartbleed, or have decided not to do anything about it, perhaps you should consider the potential for future liability arising out of breaches that could have been avoided by patching OpenSSL, and you may want to read this, and forward it to your C-suite.

If you have already checked your servers and feel relieved, you may want to check with other providers in your technology stack.   For example, Cisco and Juniper Networks were scrambling last week to notify customers and issue patches for products and software.   Cisco and Juniper said the security flaw affects routers, switches and firewalls often used by businesses.   That means hackers might be able to capture usernames, passwords and other sensitive information as they move across corporate networks, home networks and the Internet. Cisco created an Event Response Page and Juniper has an “Out of Cycle Security Bulletin”

Rather than our usual “bits and bytes” on this Monday, below is a collection of articles on Heartbleed.

  • Heartbleed – Codenomicon
  • Heartbleed – Schneier on Security
  • Digital heart attack – The Economist
  • Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass – The Washington Post (tiered sub.)
  • Retailers Sending Mixed Messages in Wake of ‘Heartbleed’ Bug Scare – ABC News
  • Massive OpenSSL Bug ‘Heartbleed’ Threatens Sensitive Data – The Wall Street Journal (sub. required)
  • Ecommerce Sites Warn Sellers About The Heartbleed Bug – Pymts.com
  • Heartbleed portends larger security threats – The Washington Post (tiered sub.)

And Mashable has a great piece with a matrix of sites and whether you should change your password just yet.

Messaging to customers and site users is important and should be well-coordinated with technical, communications — and legal.    Inaccurate, late to the party, or misleading messaging could lead to Heartbleed headaches.