a heartbleed away

2
A HEARTBLEED AWAY OVERVIEW A disturbing threat to internet security, called “Heartbleed”, was discovered by Google earlier this week possibly exposing passwords, customer information, credit card numbers and other sensitive information. OpenSSL is a widely used encryption tool used by about twothirds of the internet's web servers and also used to secure virtual private networks (“VPNs”) – those connections intended to keep company information private when viewed by offsite employees. The version with the security flaw was first introduced in December of 2011 and remains vulnerable on all OpenSSL implementations until the latest fix is applied. THE RISK The flaw makes it possible to snoop on Internet traffic even if the site appeared secure. Heartbleed creates an opening in websites’ encryption technology that users see marked by the small, closed padlock and "https:" in their web browser. The data could leak out in small increments without the website owners knowing any data loss had occurred. Ironically, smaller companies are more likely to use OpenSSL. Popular hosting services used by small companies have acknowledged its effect on their environment, but may not be correcting the fix depending on the particular user agreement. THE SOLUTION Security experts are still determining the pervasiveness of the vulnerability, but at this point all companies should be reviewing their internal IT environment and patching any Open SSL instances. Companies should alert their users after correcting their infrastructure. Consumers have been advised to change their online passwords after they are notified by each individual site. Experts recommend intrusion detection and prevention systems (“IDS/IPS”) immediately be configured to detect the Heartbeat request if they cannot immediately fix their OpenSSL implementations. However, the fact that this flaw only affects information intended to be secured actually makes it worse than not having used encryption at all.

Upload: michael-witt

Post on 21-Aug-2015

44 views

Category:

Internet


0 download

TRANSCRIPT

Page 1: A Heartbleed Away

 

A HEARTBLEED AWAY 

OVERVIEW 

A disturbing threat to internet security, called “Heartbleed”, was discovered by Google earlier this week 

possibly  exposing  passwords,  customer  information,  credit  card  numbers  and  other  sensitive 

information. OpenSSL is a widely used encryption tool used by about two‐thirds of the internet's web 

servers and also used to secure virtual private networks (“VPNs”) – those connections intended to keep 

company  information private when viewed by off‐site employees. The version with  the security  flaw 

was first introduced in December of 2011 and remains vulnerable on all OpenSSL implementations until 

the latest fix is applied. 

THE RISK 

The  flaw makes  it possible  to snoop on  Internet  traffic even  if  the site appeared secure. Heartbleed 

creates  an  opening  in websites’  encryption  technology  that  users  see marked  by  the  small,  closed 

padlock and  "https:"  in  their web browser. The data could  leak out  in  small  increments without  the 

website owners knowing any data  loss had occurred.  Ironically, smaller companies are more  likely to 

use OpenSSL. Popular hosting services used by small companies have acknowledged its effect on their 

environment, but may not be correcting the fix depending on the particular user agreement. 

THE SOLUTION 

Security  experts  are  still  determining  the  pervasiveness  of  the  vulnerability,  but  at  this  point  all 

companies  should be  reviewing  their  internal  IT environment and patching any Open  SSL  instances.  

Companies should alert their users after correcting their infrastructure. Consumers have been advised 

to change their online passwords after they are notified by each individual site.  

Experts recommend intrusion detection and prevention systems (“IDS/IPS”) immediately be configured 

to  detect  the  Heartbeat  request  if  they  cannot  immediately  fix  their  OpenSSL  implementations. 

However,  the  fact  that  this  flaw  only  affects  information  intended  to  be  secured  actually makes  it 

worse than not having used encryption at all.   

Page 2: A Heartbleed Away

 

 www.uhy‐us.com 

THE NEXT LEVEL OF SERVICE In July, 2000, six leading regional tax and business advisory firms, with tenures dating back to the early 1970s, merged to form a national professional services entity known as UHY Advisors, Inc. They came together in the pursuit of a shared vision: to deliver the service of a local/regional firm and the services of a national firm to the dynamic middle market. 

UHY ADVISORS Michael Witt UHY Advisors MI, Inc.  27725 Stansbury Blvd, Suite 210 Farmington Hills, MI   48334  Phone:   (248) 355‐0280 Fax:   (248) 355‐0157  

UHY Advisors, Inc. provides tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors.” UHY Advisors, Inc. and its subsidiary entities are not licensed CPA firms. 

UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc. and its subsidiary entities. UHY Advisors, Inc. and UHY LLP are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. 

“UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY Advisors and/or UHY LLP (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members. 

© 2014 UHY Advisors. 

UHYLLP020714