The price of online security? Eternal vigilance!

On Monday 7 April 2014, a widespread issue in a central component of Internet security was disclosed.

Registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160, the vulnerable code, called ‘Heartbleed’, had been adopted for widespread use upon the release of OpenSSL version 1.0.1 on March 14, 2012.

The vulnerability, could allow attackers to gain access to privileged information on any site running a vulnerable version of that software. The vulnerable versions were OpenSSL 1.0.2-beta and OpenSSL 1.0.1 – OpenSSL 1.0.1f.

Conduct an online test of your server/s

On 10 April 2014, The Huffington Post reported that “Cisco Systems and Juniper Networks, two of the biggest creators of Internet equipment, announced that their products had been affected by the Heartbleed bug. Routers, firewalls and switches … have all likely been affected by the bug, leaving your personal information at risk of being stolen by hackers.”

Another Huffington Post article explained: “Every time you log into a website, your login credentials are sent to that website’s server. But in most cases those credentials aren’t simply sent to the server in plain text — they’re encrypted using a protocol called Secure Sockets Layer, or SSL. As with most protocols, different software makers have created different implementations of SSL. One of the most popular is an open-source implementation called OpenSSL, used by an estimated two thirds of currently active websites.”

“Heartbleed is a bug in OpenSSL. Hackers can exploit Heartbleed to get raw text from emails, instant messages, passwords, even business documents — anything a user sends to a vulnerable site’s server.”

The article continued in an ominous tone: “And the scariest part? The Heartbleed security flaw existed for nearly two years before it was discovered,” by ‘white-hat’ researchers.

Respected authorities deemed Heartbleed ‘catastrophic’. Forbes cybersecurity columnist Joseph Steinberg described the bug as potentially “the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet”.

A fixed version of OpenSSL was released on April 7, 2014, (at the same time as Heartbleed was publicly disclosed). By that time, around half a million (approximately 17%) of the Internet’s secure web servers certified by trusted authorities, were believed to be vulnerable to the attack, allowing for the potential theft of the servers’ private keys and users’ session cookies and passwords.

After Digital Tsunami became aware of the issue, we checked that our private clouds were running non-vulnerable or patched versions of the Open SSL software. As intercepted security logins could potentially enable hackers access to databases, it is advisable to update passwords on any potentially vulnerable site. By changing a password on a site which may have been vulnerable between 2011 and this month, when servers began using the updated patched version of the OpenSSL software, removes the potential risk.

We strongly recommend regularly changing passwords as a standard precautionary measure. Although this current vulnerability was massive, there is limited information on particular sites which may have been targeted, but all users need to be constantly vigilant in the face of dedicated ‘black hat’ hackers and unknown risks.

Read about the most contagious malware released at the turn of the century.

Even though an outbreak on the scale of The Love Bug or the Melissa virus has not recurred, the potential has not diminished. In many ways it has increased, as malware is far more covert, polymorphic (an encrypted combination of trojan, mutating virus and bot), which is able to constantly modify itself to avoid detection or eradication.

In this case, the risk was not malware, but a vulnerability present in the very core of webserver security technology. Many respected sites using Open SSL were potentially vulnerable.

Now that all will have upgraded to the latest version of Open SSL, it is a extremely sensible security precaution to change passwords on any sites that you use as a corporation or individual, including:

All users should implement the highest level of security, including no less than: individual high-security passwords in a combination of at least 8 (preferably 12 or more) characters, containing at least one lower case character, one capital, one numeral and where accepted, special characters (such as ^+>&*#/%). These should not be formatted to resemble or contain a word and should not be used across all sites. It is exceptionally important that passwords for banking sites not be shared.

If your bank is not yet using two-factor authentication, comprised of a username and password PLUS a ‘token’ (random code generator device) or code sent to your to cellphone, it is time to consider changing banks!

Company and domestic networks, WiFi hubs, and webservers should all be protected with a firewallanti-spam and anti-virus software, and regular scans to detect unwanted cookies or malicious threats. Using a reputable software, these threats should be quarantined and eliminated.

At least one backup generic email address (Gmail, Hotmail, Yahoo, etc.) should be created, to enable communications in case your domain name becomes infected and email on that domain is blocked or unusable. This email can also be used to retrieve passwords for an email account on your corporate domain.

Digital Tsunami constantly monitors and audits the security of our clients and our private clouds. Only a few days prior to the global awareness of the Heartbleed Open SSL vulnerability, we had conducted yet another security audit, to ensure that we were taking every possible measure to protect our clients’ assets.

Read about some of the security measures Digital Tsunami applies to web hosting and specifically to WordPress site hosting. (For security reasons, some details are deliberately vague and brands / softwares are unspecified).

Talk to Digital Tsunami
 about security for your web hosting.

References:

http://heartbleed.com
https://filippo.io/Heartbleed/ online Heartbleed tester
http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
http://tif.mcafee.com/heartbleedtest
http://blogs.mcafee.com/consumer/what-is-heartbleed
http://en.wikipedia.org/wiki/Heartbleed
http://www.huffingtonpost.com/2014/04/08/heartbleed-66-percent_n_5112793.html
http://www.huffingtonpost.com/2014/04/11/heartbleed-routers_n_5132306.html
http://www.smh.com.au/digital-life/consumer-security/coles-mastercard-myer-visa-card-and-other-ge-money-partners-stung-by-heartbleed
http://en.wikipedia.org/wiki/Multi-factor_authentication

Recommended security vendors:

Symantec.com
McAfee.com
TrendMicro.com

From Our Clients

Quotation Mark

Clients have really appreciated the video .. sales staff are so pleased to have this tool. It is very empowering to show.

Anisa Meriem Telwar
President
Atlanta, Georgia, USA
Anisa International
Quotation Mark

Since 2003, Digital Tsunami has collaborated with Personal Broadband Australia to deliver many online solutions, including the latest www.pba.com.au site.

Central to the development process is Digital Tsunami's thorough understanding of the project needs, clear and constant communication, and creative, innovative and meticulous approach to delivering solutions.

The results are clean, intuitive, refined and cohesive, with rapidly loading pages and extremely high usability.

The benefit to PBA of this long-term relationship has been the highly effective way in which Digital Tsunami has implemented and enhanced my vision on every project.

Sharon Don
General Manager, Products and Services
Sydney, NSW, Australia
Personal Broadband Australia
Quotation Mark

Working with this team has been a delight and the resulting website far exceeds our expectations. All stages of the process were handled professionally, promptly and creatively. Discussions went smoothly, with flawless communication and suitable and sensible solutions whenever issues were raised. Time frames were either met or delivered early. The site was 100% accurate, indicating impressive attention to detail.

Without exception, the feedback on our site has been outstanding - clear and thoughtful layout, appropriate and interesting graphics and intuitive navigation.

Robyn Rix
Director (Vice President)
Neutral Bay, NSW, Australia
Quotation Mark

We were very happy with the development process and the outcome. The objectives have all been achieved, in terms of usability and ease of use in updating the site. You definitely nailed both of these.

Rupert Blatch
National Sales & Marketing Manager
Port Kembla, NSW, Australia
Quotation Mark

I recently engaged Digital Tsunami to design and build my 60-page website. I'm a website copywriter who relies heavily on web-generated business, so my own online presence needs to be impeccable.

The solution that Digital Tsunami supplied is brilliant. It meets my needs perfectly; it's clean, bold, elegant, fast, and easy to edit. I've had lots of very positive feedback about it, and since launch, my request for quote rate and conversion rate have increased markedly.

The team at Digital Tsunami was incredibly responsive, delivering a solution well ahead of deadline. Their technical knowledge was exceptional, they were innovative, and they were very meticulous. What's more, they understood my business and technical requirements and translated them into a user-friendly, refined, professional site which is conceptually simple and cohesive.

I have no hesitation in recommending the website design services of Digital Tsunami to any business .. that needs a stand-out online presence.

Glenn Murray
copywriter
Sydney, NSW, Australia
error: We appreciate that you value our content. You are welcome to link to this page, but content is copyright protected.