Well, readers, this is the kind of news we wish we didn’t have to report. On the heels of the weeks and months reporting the details of the too-large Target and Neiman-Marcus data hacks, comes news of what may be the internet’s biggest security glitch… ever.
We refer to the “Heartbleed” bug, which affects servers — which is to say, about two-thirds of the internet as a whole. As a succinct overview in FastCompany describes it, “It’s a bug in OpenSSL encryption, a software library that Google, Facebook, Yahoo, Amazon, and a very big chunk of world’s biggest websites use to secure the transmission of private information. The average user is probably unfamiliar with OpenSSL, but it is represented in your URL bar by the little lock symbol, next to HTTPS.”
So what does the discovery of a “hidden entrance,” or backdoor, into this security protocol mean? Well, potentially it could give “hackers and cybercriminals a skeleton key to a hidden world of private data. They can waltz in, reach into a grab bag of secure information (emails, IMs, passwords, etc.), and walk away without a trace.”
The flaw appears to apply to only the last two years of OpenSSL software iterations, but that could be enough. It was discovered by researchers from Codenomicon, a computer security company, and Google.
It should be noted that the version of OpenSSL released this past week has corrected the flaw, but the key question is how fast servers all over the internet can updated or patched. The other, perhaps even “keyer” question, is whether any bad guys discovered this same flaw over the past 24 months, and put it to deleterious use.
Since there haven’t been massive reports of drained accounts or spurious charges, it’s possible this wasn’t a widely-known security lapse. Or it’s possible lots of information has been surreptitiously drained already, and is floating around on black markets for later use.
It’s a situation that will require further, and ongoing, attention on everyone’s part for a good long while. What can you do now? There are a couple of schools of thoughts, from “change all your passwords now” to “wait until the servers are secure before changing your passwords.”
On the other hand, you can always change them more than once, if need be. And as more servers become secure, changing them will make even more sense.
We invite you to watch this space, and your weekly AVPS newsletter for updates. And of course, stay in touch with your AVPS rep, and make sure all your own security precautions for your own company’s commerce site are as absolutely up-to-date as possible.
Be vigilant, and we of course will do likewise, on your behalf.