Heartbleed Zero-Day OpenSSL Security Vulnerability

heartbleedAlthough April Fools day recently passed, this is no April Fools joke. One of the most major security threats to the internet as a whole was on display for all to see. This vulnerability is listed as “zero-day” because the software developers have had zero days to fix them when the vulnerability was discovered.

On Monday, April 7th, 2014, a major bug in OpenSSL was revealed which allows attackers to read information from the memory from servers that had OpenSSL installed. Roughly 66% of the internet uses this application to secure your data.  Northwoods Web Designs uses OpenSSL as well but was not using the version(s) that were vulnerable.

What is the Heartbleed bug?

This security bug takes advantage of a bug in OpenSSL (all programming applications have bugs, yes even Apple and Microsoft), which allows any normal user to read information that was stored in memory without any additional privileges on the server.

So things that were assumed and should have been protected became accessible, such as usernames, passwords, SSL keys, emails and other information that should not be accessible without proper access was.

Are you vulnerable?

The affected application in question is OpenSSL and versions 1.0.1 through 1.0.1f.  You will more than likely be affected either directly or indirectly by this.

How big is this? For example, the Apache web server that powers over 50% of the Internet’s websites utilize OpenSSL.  In less technology terms, this vulnerability affects companies that use these versions of this application to manage secure connections (encrypt your data) between your computer and their servers.

How do you protect yourself?

If you access any financial, email, billing or other companies you may be affected by this threat as your personal information is at risk.  You should review those companies you interact with (email, facebook, pinterest, financial etc…) and see if they were affected or not.   If they were you need to change your password immediately for everyone of those companies.

Like previously mentioned, Northwoods Web Designs was not affected so you do not have to change your password for billing, website or webmail access. Although now’s a good time to do so if its been over 90 days since you last changed it.

If you want more details on the Heartbleed bug vulnerability you can visit www.heartbleed.com which dives into it deeper.

You can also test any URL’s that you access to see if they are affected at this link http://filippo.io/Heartbleed/ . They may have applied the fix by the time of this writing so its advisable to change your password for peace of mind.