Cloud Accounting Practice Management Small Business Tech Trends

The Heartbleed Bug and Business Security

Written by Charlie Russell

Heartbleed BugNo, not “Heartburn,” it’s “Heartbleed,” but it’s a security bug that may give you heartburn.

The Heartbleed Bug is a weakness that allows the stealing of information that normally would be protected by the standard encryption used in many services on the Internet. This could affect websites, email, instant messaging, and even some virtual private networks (VPNs). It allows someone on the Internet to read the memory of systems protected by certain versions of OpenSSL, which is widely used by many web servers and other Internet-enabled products. Attackers can exploit this problem to steal login names and passwords to hack into your accounts or those of your clients.

Should we worry? Isn’t this another one of the web vulnerabilities that we hear about that probably doesn’t affect us (or our clients)? Well, no, this isn’t your run-of-the-mill exploitation:

  • According to Codenomicon, an attack can be accomplished without leaving a trace.
  • OpenSSL (where the vulnerability was found) is used widely, including in web servers like Apache and Nginx. Just these two software products alone are used in over 66% of the web servers on the entire Internet (Netcraft’s “April 2014 Web Server Survey”).
  • While it looks like only certain versions of OpenSSL are affected, these versions have been in use for over two years now.

We hear about security vulnerabilities all the time. This one is a big deal because a large number of private keys and other secret information have been exposed for a long time, the exploit is simple, and no trace of exposure is left behind. Even though the bug can be fixed quickly (if service providers respond), your login passwords could have been exposed, and that information can be used even after the bug is fixed.

Some people, such as Bruce Schneier, say that this is catastrophic: “On the scale of 1 to 10, this is an 11.” From the other side, though, Dr. Steven Murdoch of the University of Cambridge Computer Laboratory says, “I think there is a low to medium risk that any given password has been compromised” (per BBC News).

So What Do We Do about the Heartbleed Bug?

Password wallet provider LastPass recommends that to be safe, you should change the passwords on your most critical sites. This would be your email, banking, and social networking sites, particularly if you know if those sites use Apache, Nginx, or test as being vulnerable to the Heartbleed Bug.

You can test any site using this Heartbleed test site to see if it’s vulnerable. However, note that if you test a site and it passes now, it could have already fixed the bug, but your information could have already been compromised. We already know that sites like Yahoo.com and GitHub.com were exposed, and researchers have used these sites to demonstrate the problem publicly (with very little work!). I used the test tool to look at some commonly used accounting sites, such as Intuit, Xero, Zoho, and Wave, and all passed the test.

My recommendation: This is a tough call in a way, because service providers are still working out the details (at the time I’m writing this). There are three ways you can think about this. If you’re:

  1. Not worried too much? Well, I still think you should change your passwords soon, when you have the chance. Good time to do it; get around to it when you can.
  2. Worried a bit because things are uncertain? As far as your banks and major web services, wait until they notify you they’ve upgraded their systemsthen change the passwords for that system. You can also use the Heartbleed Test site to test your site to see if it’s vulnerable and change passwords if it isn’t. Why bother changing on a site that isn’t updated, as you’ll just have to do it again later? This is what a number of security specialists (but not all) are recommending.
  3. Worried a lot? Change your important passwords now and again if the service notifies you that it has upgraded. That may be a bit over the top, but some people are saying “don’t wait,” and then do it again later for sites that are updated.

It’s confusing. Why bother at all? Well, my thoughts on this are:

  • Why take a risk? I’m going through my sensitive passwords and making changes. It takes time, as I have a lot of accounts to change. I use RoboForm to manage my passwords, and The Sleeter Group uses LastPass; both are excellent (and similar) products. These help you remember what passwords you have and what you change them to. But I’m going to test the site first – and not log in if the site isn’t updated and secure. My info may not have been stolen earlier, but I’m not going to enter my passwords into any system that isn’t secure so that it CAN be stolen. I’ll only log in to sites that are updated and secure, change those, and wait for the others.
  • Hey, “best practice” is that you change your passwords periodically, so even if you don’t believe this is a real risk, why not do it now anyway? It’s as good a time as any. How long has it been since YOU changed your email or bank passwords?
  • If you’re a trusted advisor to your clients, this is a good time to recommend they consider changing their passwords, and perhaps do an overall security review for them. Most businesses have some vulnerability of some sort, and they need you to help them find and fix these problems. This is the perfect time to bring it up.

 


Save pagePDF pageEmail pagePrint page

About the author

Charlie Russell

Charlie Russell has been involved with the small business software industry since the mid 70's, and remembers releasing his first commercial accounting software product when you had an 8-bit microcomputer with one 8 inch floppy disk drive. He has a special interest in inventory and manufacturing software for small businesses. Charlie is a Certified Advanced QuickBooks ProAdvisor with additional certifications for QuickBooks Online and QuickBooks Enterprise, as well as being a Xero Certified Partner. Charlie started blogging about QuickBooks in 2008 (Practical QuickBooks) and has been the managing editor and primary writer for the Accountex Report (formerly the Sleeter Report) since 2011. Charlie can be reached at [email protected]

Visit his CCRSoftware web site for information about his QuickBooks add-on products. He is also the author of the California Wildflower Hikes blog.

7 Comments

    • Janet, there are two levels to your situation.

      First, your login to Dashlane itself. It is not clear if Dashlane is susceptible, because there is something odd about how their security certificate is set up. That isn’t a problem – just that it makes it hard to test. You may want to change your master password that you use to log in there, as a precaution.

      Second, the passwords that you have in Dashlane most likely were not stolen through Dashlane – unless someone broke into your account. That is less likely, but not totally out of the question. HOWEVER, Dashlane doesn’t protect your passwords (nor does any password wallet like this) from being compromised. The problem is, you use Dashlane to submit the passwords to a site you log in to – and that site is the one that has the issue (not Dashlane). It is submitted just the same way that it is if you just type it in yourself directly. And that means if that site was compromised, your login could be stolen.

      So I would update your login passwords, that are stored in Dashlane, for any website that you log in that has “https” in the URL, and that is to a sensitive site like a bank or credit card.

    • Thank you, David, but that doesn’t address the Heartbleed bug issue. It isn’t that they are going to break into your password storage, it is an issue of when you use a password in a compromised website. And if you are using a product like the one your reference (or the others that we talk about above), you are using that password in the site and that exposes it to the problem.

  • Charlie,

    Have you tested RoboForm and if so did it pass? If it did pass did you still change your passwords? I use RoboForm so I’m very interested to hear your results.

    Thank you so much for explaining this so we can understand what this is all about.

    Look forward to your reply
    Irene

    • The Roboform user login site itself did not have any trouble. If you are concerned, change your master password. That isn’t difficult to do, and it is a good idea to change your master password periodically anyways.

      The passwords that you store inside of Roboform (or any of the other password wallets) are most likely safe (unless the hosting site had a security breach). However, that doesn’t mean that any individual site that you use through that is therefore safe. When you go to your bank site (as an example) and log in, the act of entering the password there is what exposes your information if that bank website has been compromised. It doesn’t matter if you manually enter the password, or if you use Roboform (etc.) to enter the password – it is being entered into that site and can therefore be exposed. Using a password wallet doesn’t protect you from a website that has itself been compromised.

      So even if Roboform is safe, you still have to evaluate the individual websites that you log into.

Leave a Comment