Business owners need to be aware of a computer bug that targets computer servers running the most widely used Internet encryption security system, according to Better Business Bureau serving the Snake River Region.
Security engineers discovered that the “Heartbleed” bug exploits a flaw in OpenSSL, which allowed them to view passwords and user names when they tested the virus. Secure Sockets Layer (SSL) is an open-source software program that encrypts data over the Internet. It is used to secure business transactions, email, instant messaging services, social media sites and any other sort of web-based system that must secure the data that is transmitted to and from its servers.
Heartbleed compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the real content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
“Once the specialists understood how it worked, they avoided publicizing the discovery until OpenSSL’s developers could create an update that eliminates the security loophole,” says BBB CEO Dale Dixon. “We’re reading that the Heartbleed has also been seen in places like Gmail and Facebook, exposing your personal and financial information.”
Yahoo was among the first-named websites where Heartbleed was detected. Yahoo and other major companies that rely on OpenSSL moved quickly to fix the vulnerability. SSL is used on web servers, but not on PCs or mobile devices.
The bug is believed to have originated two years ago, but researchers say it covered its tracks to leave no trace of its presence. There is no word on how many servers were infected.
BBB recommends businesses consult a qualified information technology (IT) professional, to see whether their servers are infected with the bug, and if so, remove it and apply the updated, secure version of OpenSSL.
Consumers and businesses should change their passwords, and regularly scan their computers with an updated computer security application. In addition, install operating system updates and software patches, which often address emerging security flaws.
Where to find more information?
This Q&A was published as a follow-up to the OpenSSL advisory, since this vulnerability became public on 7th of April 2014. The OpenSSL project has made a statement at https://www.openssl.org/news/secadv_20140407.txt or https://www.cert.fi/en/reports/2014/vulnerability788210.html.