Back in 2012, a new version of popular Internet encryption software OpenSSL, which protects nearly 66 percent of websites, rolled out with a security hole. "Heartbleed" left Internet users' passwords, usernames, financial data, email exchanges, and more vulnerable to theft by hackers, according to a Google researcher and independent Finnish security firm Codenomicon, who together discovered and named the bug.
The lapse in Internet security means that even if your site has a lock icon or a URL prefix of "https://" in the browser--ostensibly signs that traffic is secure--it may not be safe. The security experts who discovered Heartbleed write:
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
To check if your site is vulnerable, type in your URL here.
Giovanni Vigna, cofounder of security startup Lastline, says all businesses need to upgrade to the new version of OpenSSL, which includes a new certificate (the "secret key" the experts refer to), and then alert all users to change their passwords.
Heartbleed is a particularly scary bug because of the potential breadth of its impact, Vigna says. "It's difficult to understand how wide this attack was before it was made public, but someone could be banging a business right now and stealing every single bit of memory from their servers," Vigna says. "I doubt businesses will ever know, which leaves a big question mark hanging over you."
Many reports have suggested that small businesses are at the greatest risk, but Vigna disagrees. He says while small businesses are usually targets because they typically don't have great security, Heartbleed levels the playing field by making every company using OpenSSL susceptible. He believes criminals are going to go for big scores.
"There's going to be a very limited window to exploit this vulnerability, so the attackers are going to focus on sites and companies that manage the most sensitive information and are slow at upgrading their infrastructure," Vigna says.
The good news, says Jordan Edelson, a software developer and the CEO of New York-based app developer Appetizer Mobile, is that the bug is easy to fix. There's an OpenSSL patch available online and anyone can implement it without much technical know-how.
Below, check out the three things your company needs to do if your site is using OpenSSL and is vulnerable to Heartbleed:
1. Update your version of OpenSSL with this fix. It will close the vulnerability and make your software secure again.
2. Alert all of your users and employees that your site is now secure and advise them to change their usernames and passwords. Edelson says you should tell your users to do a series of password-change cycles. Change it now, in one week, and in one month from now.
3. A cyberattack can cripple your business, cost thousands of dollars, and do irreparable damage to your brand's image, so if you have not been investing heavily in your company's cybersecurity, it's time to start. "As the Web evolves, more vulnerabilities will emerge and companies need to be aware and stay updated," Edelson says. "You do not want your servers to be compromised. Cyberattacks can cripple a business. Pump as much money into IT as you can. It's not a department to overlook."