Cloud Accounting Practice Management QuickBooks Small Business Xero

Evaluating the Impact of the Heartbleed Bug

Written by Charlie Russell

Heartbleed BugIn my recent article “The Heartbleed Bug and Business Security,” I talked about how some websites would be vulnerable to this security flaw and others would not. I was curious as to which of the sites I work with as a ProAdvisor were affected. This is a key issue, because if a site might have been vulnerable I needed to change passwords, but not until after they had fixed the problem. Here are some responses that I received from several vendors.

Heartbleed and Intuit

Intuit has a security notice about how it was affected by Heartbleed:

Intuit’s products and services have been updated when necessary to protect against the Heartbleed vulnerability.

We continuously monitor and review our systems for vulnerabilities and we have no indication that customer data has been affected. At this time, we’re not recommending any password changes as a result of our investigation.

A few of the many third-party developers who have created evaluation tools erroneously report that some Intuit websites are vulnerable to Heartbleed. Our engineers have validated the security of all Intuit products and services and have concluded that no Heartbleed vulnerability remains. We are working with those developers to correct this information.

So this means that Intuit must have used a vulnerable version of OpenSSL. They aren’t alone, many websites used this, and Intuit has other layers of protection that will help. In the past, I’ve always felt that Intuit was one of the more secure companies in this regard. However, I don’t agree with its recommendation to not change your password.

Heartbleed and Xero

Xero has a security notice about Heartbleed as well:

Any time there is a potential threat to Xero, we conduct a Security Incident process which includes investigating the potential impact to Xero and our customers.

  • The immediate step we took was to evaluate which Xero systems use OpenSSL, and whether they used the affected version. The majority of our environment does not use OpenSSL as we run predominantly Microsoft technologies. The sweep of our environment showed no servers or sites running the affected versions.
  • The second step was to evaluate which external systems we, or direct customers, use that may be vulnerable. The only vulnerable site identified was our Australian Partner ‘Toolkit,’ which stores no customer data and does not allow users to log in. Our third-party hoster for that environment is August, and they admirably patched the issue within 30 minutes, for which we thank them. The Xero Toolkit site is no longer vulnerable.

As stated above, we have no reason to believe that any of Xero’s environment is affected by this OpenSSL issue.

By using Microsoft technologies for the primary websites, Xero has dodged this bullet. OpenSSL is not used in Microsoft web technologies. I wouldn’t worry about changing passwords here other than saying that you should periodically change passwords anyway, as a security best practice.

Heartbleed and Intacct

Intacct sent an email to its customers:

Although we have no evidence of any breach to your data, the HTTPS protocol used to encrypt Internet traffic was temporarily weakened. While the vulnerability was active, it was possible for unauthorized users with specific knowledge of the vulnerability to read web traffic, which may have included sensitive information such as passwords.

The Intacct team has taken immediate action to fix the issue the same day it was discovered. In addition to the steps we’ve taken, Intacct strongly recommends that users immediately change their passwords used to login to Intacct, as well as any other web sites (such as those used for email, file storage, and banking).

Intacct was vulnerable, they reacted quickly. Change your password if you haven’t already. However, if you already changed it, but before Intacct sent this message, change it again. I have a quibble with what they said – they most likely didn’t fix it the same day it was discovered, they probably fixed it the same day it was announced. The bug was discovered earlier than the general announcement. Plus, it has existed for years, so a hacker could have used it long ago (although that appears to be unlikely).

Heartbleed and Wave

Wave posted this note:

We have confirmed that the Wave tools have not been directly impacted — in other words, the version of OpenSSL Wave uses did not include the Heartbleed vulnerability.

So they dodged this bullet and there should be no problem. The Heartbleed Bug only exists in some specific versions of OpenSSL.

Heartbleed and Monchilla

Jack Couch from Monchilla said:

Because Monchilla.com does not use OpenSSL our service was not effected by the [Heartbleed] security vulnerability.

When an issue like this is so highly publicized it makes it easy to believe that online services might be more prone to security vulnerabilities than desktop software. In actuality all software has flaws and periodically some of those flaws have security implications. As long as the security flaws are fixed before they are known by the bad guys the impact is minimal.

Your laptop probably has a much greater variety of software installed than a server for an online service. This means more opportunities for security flaws. Additionally much of the software, such as the drivers for specific hardware devices, is used by a smaller number of people and tends to be lower quality. And if that wasn’t bad enough consider how often you ignore software updates for a couple days that might contain security fixes.

This was a particularly bad security bug and it is a good reminder not to reuse your passwords (especially with sites that don’t take security seriously), but in context of the risks of using any software, using an online service to store your sensitive data remains the safest option.

Monchilla doesn’t use OpenSSL and therefore isn’t vulnerable. I agree that desktop products are very vulnerable too, and that you need to avoid reusing passwords.

Heartbleed and Cloud9 Real Time

In their status page, QuickBooks Hosting company Cloud9 Real Time said:

We have confirmed with our SSL issuer that our SSL certification and servers are not at risk. Only web servers and companies utilizing OpenSSL and/or running a Linux OS are at risk, and Cloud9 was not built upon and has never used OpenSSL for any of its SSL Security and has never utilized a Linux OS.

Another service that wasn’t using OpenSSL, so no problem there.

Heartbleed and SmartVault

SmartVault has a notice that says that SmartVault is NOT vulnerable. That wasn’t enough of an explanation for me, so I asked the company’s Chief Technical Officer Michael Webb about this. Michael said:

“We are not running a vulnerable version of OpenSSL – so this vulnerability was not a problem for us.”

SmartVault is probably one of the most secure web services that I use, and they are experts in the field of online security.

Heartbleed and LinkedIn

I use LinkedIn as my main business “social media” account. You should be concerned about social media accounts almost as much as you are concerned about banking and accounting sites, as your public image can be damaged severely if someone hacks these accounts. Here’s a notice posted on LinkedIn:

Linkedin

So this one should be safe.

Heartbleed and Carbonite

I use Carbonite for backing up my home systems. I have a lot of pictures (my grandchildren, wildflowers from hikes I take, etc.) that aren’t likely to be at risk, but there can be personal information there that a hacker could use. I also use Carbonite as one layer of backup for some of my business files. It is not my only backup for these files, it’s just one extra layer. All of my business files that go here are encrypted separately, so it should be secure.

However, many businesses use Carbonite for their primary backup and do not encrypt the information separately. So, here’s a statement from an email I received from Carbonite:

Carbonite Personal and Pro subscriptions do not use the affected encryption software. Your personal data was never at risk.

If any of your other online vendors have been impacted by Heartbleed and you use the same password as you do for Carbonite, we recommend changing both passwords

Good to know.

What Does It Mean?

If you’re evaluating a web service that you use, consider the following:

  • If a company says it was vulnerable and is working to fix the issue then be afraid, as it may still be vulnerable. Stay out of the website, because logging in can expose your passwords. Wait until the company says it’s safe, then quickly go in and change your password. Keep in mind that even if someone says there was no indication of a threat, one of the nasty aspects of this security hole is that it’s impossible to detect if anyone stole information using Heartbleed. By this time, though, I don’t think there will be many major websites with this status.
  • If a company says it used a vulnerable version of OpenSSL but fixed the problem, then change your password right away. Please use a unique password for each site, don’t share passwords with multiple sites, and don’t reuse old passwords.
  • If a company didn’t use the vulnerable version of OpenSSL then you don’t have any worries; the company wouldn’t be affected by Heartbleed. However, since this bug has existed for several years, you should learn more – did the company ever use this version? Odds are it didn’t, but . . .
  • If a company uses Microsoft web technologies instead of OpenSSL then it’s generally in the clear – Microsoft web technologies aren’t vulnerable to Heartbleed. The only concern here is if the company used OpenSSL in some portion of its website.

Side note: Using a “password vault” program (e.g., RoboForm, LastPass, and several others) is an excellent way to keep track of your unique passwords, but that does not protect your passwords from being hacked by this bug when you use them in a website! The issue isn’t protecting your password vault, the issue is that when you use that password in a website you may be exposing it to this attack.

Is this all a big FUD issue – sowing fear, uncertainty, and doubt? Well, we can’t really tell, but do you want to take that risk? The fix for you, and your clients, isn’t that hard.


Save pagePDF pageEmail pagePrint page

About the author

Charlie Russell

Charlie Russell has been involved with the small business software industry since the mid 70's, and remembers releasing his first commercial accounting software product when you had an 8-bit microcomputer with one 8 inch floppy disk drive. He has a special interest in inventory and manufacturing software for small businesses. Charlie is a Certified Advanced QuickBooks ProAdvisor with additional certifications for QuickBooks Online and QuickBooks Enterprise, as well as being a Xero Certified Partner. Charlie started blogging about QuickBooks in 2008 (Practical QuickBooks) and has been writing for the Accountex Report (formerly the Sleeter Report) since 2011.

Visit his CCRSoftware web site for information about his QuickBooks add-on products. He is also the author of the California Wildflower Hikes blog.

1 Comment

  • Intuit has only managed to confuse and worry folks with their statements, though I think their intentions may have been to put folks at ease. I saw one statement they made that said they found they were not vulnerable but they were updating their SSL certificates and their websites anyway in order to put folks at ease. I think that was on the TurboTax website. When it comes to security, large companies seem to follow the government’s lead too often and make placating statements of a general nature when the actual details about what was possibly vulnerable and what was fixed so that we can make informed decisions and help our clients know what needs to be done. Like you, I was left unsettled by their statements and changed all my Intuit passwords and warned my clients to do the same.

Leave a Comment