A serious security vulnerability (“The Heartbleed Bug”) was recently discovered within OpenSSL, the software that some servers use to generate CSRs for SSL Certificates (note, CSRs generated on Windows IIS were not affected by this bug). This vulnerability existed for more than two years before identified/isolated, and was fairly easy to exploit, allowing attackers to steal information that was, under normal circumstances, protected by the SSL/TLS encryption used to secure the exchange of data on the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), and some virtual private networks (VPNs). The Heartbleed bug allowed anyone on the Internet to read the memory of the systems that are ‘protected’ by a vulnerable version of the OpenSSL software. Essentially this means that the attackers were/are able to view/capture communications across networks, steal data (user names, passwords, credit card information, etc.) and impersonate services and users. Although Safenames was not impacted, when we learned of this security bug, we immediately took a specific set of actions to address this vulnerability including installing new SSLs with CSRs that were generated on the updated OpenSSL software. If you are running your own systems with OpenSSL versions 1.0.1 through 1.0.1f, your system was/is vulnerable and we suggest that you upgrade as soon as possible.
What else can you do to protect yourself? If you have not already done so, it is highly recommended that you change your passwords for sensitive accounts (banks, email, facebook, etc.). Also, don’t hesitate to reach out to small businesses that may have your data to ensure that they are secure. Larger organizations most certainly know about Heartbleed, and have addressed this issue, but some small businesses may not—in situations like this it’s much better to be safe than sorry. Keep a close eye on financial statements for the next few weeks/months. Why? Because attackers often have access to a server’s memory for credit card information even after a vulnerability has been mitigated/addressed.
If you have any questions about this post, please contact your Safenames account manager. You may also contact us in the UK at +44 1908 200022 (firstname.lastname@example.org) or in the US at +1 703 574 5313 (email@example.com).