While the scare has since died down a little, some businesses still have some work to do to ensure safety. So what is it all about and what needs to be done to mitigate the risks?
You cannot ‘catch’ Heartbleed as such. Despite reports of this threat being a ‘virus’ or a ‘hack’, it was basically a security cock-up at internet level which left lots of private internet data vulnerable.
Digital Spy described it as follows: “Imagine the internet is a castle and SSL/TLS encryption is a part of the wall and moat around it used to keep out invaders. A mistake by a German software programmer basically left a small door open in the wall for invaders to get in.”
When the vulnerability was first highlighted, very few people knew it existed, meaning the risks were relatively low. Now it’s been spread across the world’s news outlets, however, more hackers will be looking to capitalise.
Upon finding out that they’ve been affected, companies must update to the most recent version of OpenSSL, before revoking any compromised cryptographic keys and reissuing X.509 certificates with new ones.
By now, most IT firms will have released bug fixes for their products, so CIOs should make sure their software, operating systems and devices are patched accordingly. Once all of this has been done, companies need to advise all users – internal and external – to create new passwords; only then can safety be assumed.