ANP proactively notified our clients twice last week to inform them about a new IT vulnerability that was announced on Monday April 7, 2014 called the “Heartbleed,” vulnerabilty. For the most part, if you are reading this blog you are likely not a client of ANP’s so I want to take a moment to explain to you (hopefully in a non-technical way) what this vulnerability is all about and offer you some help if you think you might need it!
This vulnerability is coming out of a non-profit software development kit that many IT companies have used to create their secure web interface for their products. The software is from two programmers who created the OpenSSL Project®; they distribute a Secure Socket Layer (SSL) toolkit used in thousands of IT products and hundreds of thousands of web sites and servers. SSL is the code that allows a web site to encrypt data between the users browser and the web site, you can see SSL in action when your browser URL displays “HTTPS” the “S” stands for secure which means your browser is running SSL data encryption.
Many web developers and commercial companies have used this open-source toolkit to develop their own SSL products, because it is faster and less cumbersome than writing their own SSL code. As a result, there are many products (that you might own) that now have this vulnerably built into them.
Larger companies like Microsoft and Cisco write their own SSL code and so you don’t see them included in these type of open-source vulnerabilities, although because Cisco does acquire so many companies a year to get access to new products, they have published a small list of products that do have the Heartbleed vulnerability and are releasing the correction as they go through their products.
The "Heartbleed" vulnerability is a flaw in the OpenSSL software that may impact the security of passwords, credit card information and other personal data that is stored on your servers or passed through systems on the Internet. The vulnerability may allow a hacker to view or intercept personal information such as a password that is transmitted from a user’s computer to a server on the Internet during the process of logging in to an account.
Here at ANP, once the Heartbleed vulnerability was announced, we immediately began to analyze our client’s equipment to determine if the Heartbleed SSL vulnerability was an issue and if it was, we notified our client and began looking for a published software remediation to implement. We also analyzed our own systems and software tools, interestingly, we did have an old web site that had the vulnerability and remediated the software.
I promised that I would help you and your company, hopefully this blog has helped you better understand the Heartbleed vulnerability. ANP would be happy to do a free quick assessment of your IT environment to look for the Heartbleed vulnerability in your servers, software and IT equipment. We will look at your IT systems and let you know if you have anything at risk. Call our office and ask for the Heartbleed assessment at (800) 572-3282. You can also do a quick check yourself to see if any applications in your company need a password change: Follow this link
