April 10, 2014
Dear fellow technology users,
As the newly publicized OpenSSL security vulnerability called “heartbleed” is so pervasive and such a significant risk, I want to share with you some relevant links that give more information about the problem. This is a severe IT problem and unfortunately something that every business running a secure website or other secure SSL-encrypted services available on the Internet needs to take action on to either verify they’re not affected or to patch and reissue their certificates / reset their passwords if they are.
http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html
http://blogs.wsj.com/five-things/2014/04/09/5-questions-about-heartbleed/
http://www.heartbleed.com/
Yesterday we evaluated and checked for this bug on several dozen servers we manage, and found and corrected this bug affecting several websites we run. Our cloud service partners also took aggressive action yesterday to mitigate this issue. But many small businesses, especially those running their own servers, website storefronts, e-mail systems or VPN services, may be unaware of the problem or struggling to know what to do.
In just the last day since this news went public, many researchers have been able to use it to develop attacks that breached servers (with permission) and gained access to private data. So we know the bad guys can and are doing likewise, and may have already been doing so for a while, if they knew of the flaw before the good guys found it and made it public this week.
The first thing to do if you’re running an SSL website is to test it and see if it is vulnerable. Visit https://www.ssllabs.com/ssltest/index.html, run a test on your site (will take a couple of minutes to do the testing), and look for the result line item on “heartbleed.” If it says your site is vulnerable, you need to take immediate action.
If your website is fine, that’s wonderful. Now think about any other services you may be running on the Internet (see below) using your own server (whether on-site or in a public cloud) or storage / security appliance. If one of these services is using the OpenSSL 1.0.1 software under the hood, it is probably vulnerable to heartbleed. Your IT consultant or service provider should be able to help you determine whether or not that’s the case.
-secure website
-secure shopping cart
-secure e-mail server
-secure VPN
-secure file sharing mechanism
If you or someone you know know someone who is running one of the above, please pass this information along to be sure they’re aware of this issue and are taking the steps necessary to get this problem addressed on their servers ASAP.
Thank you,
Jay van Achterberg
Solution Innovators
860-288-5353