(Prescott, AZ – April 15, 2014) Whether through social media, the news or a friend, most are aware of the recent “Heartbleed” bug - a computer security vulnerability that can reveal the contents of a server’s memory and expose private data such as usernames, passwords and even credit card information. Better Business Bureau (BBB) shares recommendations on what to do to minimize the negative effects of the security threat.
The “Heartbleed” bug exploits a flaw in the Secure Sockets Layer (SSL) of popular open source software called OpenSSL. SSL is the standard security technology that establishes an encrypted link between a user’s web browser and the server where the website is hosted. SSL is used to secure numerous kinds of data transfers, including email, instant messaging, social media, and business transactions and for this reason, encryption is essential to Internet security.
The flaw, which was discovered on April 7, but has been in existence for two years, means that attackers can copy a server’s digital keys and use them to impersonate servers to decode communications from the past - and, potentially, the future.
For businesses:BBB recommends businesses immediately check to see if their website(s) use Open SSL or are vulnerable. Tech/media website CNET, recommends a heartbleed-test tool developed by a cryptography consultant found at filippo.io/Heartbleed. If vulnerability exists, businesses should work with their IT department or a computer professional to install a more secure SSL on their websites.
For systems administrators:Systems administrators should follow the advice of the United States computer Emergency Readiness Team (US-CERT) found athttp://www.us-cert.gov/ncas/alerts/TA14-098A. Information from US-CERT can be applied to systems in other countries. For consumers:CNET has also published a list of the top 100 websites affected, updated regularly based recent vulnerabilities and repairs. Consumers can reference CNET’s list or the heartbleed-test tool previously mentioned to see if websites they regularly use are secure, or if vulnerabilities have been addressed.
It’s also recommended that consumers change passwords on all sites, particularly those that retain personal identifying information. Passwords should be changed after confirming the site is not vulnerable or has fixed its SSL.
The “Stop. Think. Connect.” campaign offers the following suggestions to protect your identity:
- Secure accounts: Ask for protection beyond passwords. Many account providers now offer additional ways forms of verification on sites.
- Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.
- Set a unique password for each account: Try setting a unique password for each account, even if it varies by a single character.
- Own your online presence: When available, set privacy and security settings on websites to your comfort level for information sharing. Limit how and with whom you share information.
- Look into password management software to help you keep track of long and strong passwords.
BBB’s servers do not use Open Source SSL. All of its websites have been checked and found to be free of vulnerabilities.