By now, you’ve seen hearts dripping blood all over the Internet.Heartbleed, as Finnish company Codenomicon dubbed the bug in OpenSSL’s code, isn’t a virus, but news of the flaw has gone viral. So what is Heartbleed, and what does it mean for you?
The bloody details
OpenSSL, where the bug was found, is widely used for security vendor products and secure web browsing, such as when you log in to a site and see https://. (This doesn’t mean all sites with an “s” at the end are using OpenSSL, however.) The bug’s technical name, CVE-2014-0160, comes from the line of code that contained the bug. Ideally, OpenSSL should keep sites secure from eavesdroppers, but by exploiting the mistake in the code, attackers can retrieve memory from remote systems, including usernames, passwords, and keys.
Finding a bug
OpenSSL is open source, meaning anyone can review or contribute to the code. However, Forbes reports the project is under-funded, and most people using OpenSSL likely assumed the code had been checked by others and was safe. Neel Mehta of Google Security found the bug, though been around for two years.
Are you infected affected?
Netcraft, an Internet research firm, estimates 500,000 websites could be affected by Heartbleed, so it’s safe to assume at least a few sites you visit on a regular basis are vulnerable. American Banker reports that no major banks are susceptible, and companies including Bank of America, JPMorgan Chase, and Capital One have all announced they don’t use OpenSSL. Amazon, PayPal, eBay, Target, and Walmart are unaffected as well. However, as listed in CNET’s list of high-traffick websites, Google, Facebook, and Netflix have all issued patches for Heartbleed.
What should I do?
If you have a Google, Facebook, or Netflix account, your username and password were potentially leaked, and you should change your password on these sites. However, some sites, such as BuzzFeed and The New York Times, haven’t confirmed whether they were affected and if the problem has been fixed, so you should hold off changing those passwords until they do so. Password management company LastPass and Qualys, a security firm, both have tools for checking whether sites have issued patches. Keep in mind it’s impossible to tell if your information was already stolen from a site or service, even if it’s fixed now.
What if I’m an SMB?
Small and medium-sized businesses will want to ensure their products, services, and websites aren’t affected by Heartbleed. Some security vendors and customer databases have reported vulnerability, so check if your product vendors have scheduled a patch. Forbes suggests the following steps:
- Use a site such as http://filippo.io/Heartbleed/ to check whether your website, apps or any products use OpenSSL and are vulnerable.
- Once you’ve patched, regenerate any private keys your site uses. Find more information here.
- Update to the latest version(1.01g or above) of OpenSSL. Find help for this step here.
- Use this SSL checker and CheckTLS for mail servers.
- Get more information here: http://heartbleed.com/.
Is Acumatica affected?
Acumatica is not impacted by the Heartbleed bug. Our cloud infrastructure partners were not impacted or have taken steps to update its products to mitigate this vulnerability. We are following the Heartbleed bug development very closely and will update as needed.
Acumatica uses Microsoft Web Servers (IIS). Microsoft stated on its Azure blog that “Microsoft Azure Websites, Microsoft Azure Pac Websites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability.”