Heartbleed is a flaw at the core of OpenSSL which is the core technology that powers 2/3 of web server on the internet. This fatal vulnerability has gone completely unnoticed until it became known to the public on April 3rd. This vulnerability allows an attacker to steal confidential information from various websites including usernames, passwords, encryption keys and impersonate other users.
What is the impact?
The impact is as broad as the severity of the issue. Essentially various secure websites have had confidential information stolen over the past two years with no detection. The impact is very widespread as most major internet services have been affected at one point. The Canada Revenue agency even reported theft of social insurance numbers which prompted their website shutdown last week. There is no way to know for sure, but we are aware that various groups have been exploiting this security hole for years until it was made public:
This means that it is likely many people have had their accounts or information compromised at one point. We just don't know who and when.
Key web services affected by Heartbleed
(click on the links for more info)
Amazon Web Services - Various services
Fortinet- Firewalls, other security apliances etc.
Google - All Google Services Gmail, Youtube, Google+ etc.
LogMeIn - LogMeIn remote access. Agents on your PC need to be updated when prompted.
Nucleus Information Services
Telus- All Telus email accounts
Bigger list of affected websites:
If you are still worried about a website being affected you can perform a brief vulnerability test here:
What needs to be done?
As an Edmonton-based managed IT service provider we have taken various steps and continue to do so. As part of our overall approach to managed IT Services we are exercising a number of best practices to ensure clients remain protected. Security is a practice not an action.
We recommend that you exercise the following actions to ensure you are protected moving forward:
Change your passwords: If you have an account in the list above, please change your passwords. We recommend you make this a habit regularly every 6-12 months.
Use different passwords: Unfortunately most people us the same password for everything. We recommend safely storing your passwords in an encrypted database such as Keepass
Be mindful of what else you need to change: If you store passwords in your Gmail account it's best to change those as well. Read the advisories in the list above to get a better idea of the impact.
Re-Key SSL Certificates: If your website or service that your company is hosting has been affected you need to re-key your SSL certificate to prevent further information loss in the future.