Your Computer and Privacy Policies and the Heartbleed Internet Security Bug

April 16, 2014

By now you have read and heard much news coverage of the "Heartbleed" Internet security bug discovered last week.  The headlines are dominated by the large companies known to be vulnerable to the bug -- Amazon, Google and Yahoo! among them.  No matter what the size of your business, however, you should be aware of the issue and take steps to protect yourself if you depend on secure Internet connections for your operations or communications. WHAT IS IT? Heartbleed affects users of a common Internet encryption tool called "OpenSSL." Encryption is designed to protect transmission of sensitive data (such as credit card numbers and passwords) via online services. In essence, encryption protects confidential information as it travels from computer to computer, by making it difficult to read or use if intercepted. The Heartbleed bug bypasses the encryption process, thus creating a security hole. Heartbleed logs and stores otherwise-confidential material "in the clear" on a user's hard drive as the user types it. For example, an unencrypted email password might be copied to the hard drive when the user logs in to the company account. From the hard drive, that unencrypted information can be retrieved by hackers trying to access confidential information for unauthorized uses. WHY DOES IT MATTER? Because Heartbleed interrupts the encryption process, users of affected systems may be vulnerable even if they have taken precautions to secure their systems. Hacked information might be used as-is, or it might be used as a tool to exploit other information (by guessing related passwords, for example). WHAT SHOULD I DO? If you use secure online services such as cloud storage or payment processing, you may want to check your own network to see whether Heartbleed could have compromised any password or log-in information for those services. You may also want to confer with your suppliers to see whether they have upgraded their security measures. In addition, if you communicate via password-protected email or instant messaging, you may want to confirm that your security practices are up to date. This assessment may prompt you to revisit other business practices, as well. For example, it may be wise to review what your privacy policy or standard agreements say about your security practices; to consider whether they should be revised or updated; and to evaluate whether you need to be in touch with customers, suppliers or employees about their accounts. In light of issues like Heartbleed, all businesses that use secure online storage, communications, or financial services may want to consider ways to prevent or address problems. For any questions, please call Mitzi Hill at 678.336.7272.

‹ Alerts