1 in 8 of all websites had a critical vulnerability
Symantec and other reliable sources have reported giant spikes in cybercrime in recent years. Among Symantec’s findings: 77% of legitimate websites had exploitable vulnerabilities and 1 in 8 of all websites had a critical vulnerability.
Cybercrime in 2013 was unprecedented
2013 was a turning point for cyber threats, with increasing reports of cyber-espionage, new privacy threats, and damage done by malicious insiders. The came December’s Target and related breaches, underscoring how damaging and pervasive cybercrime has become. Compound that with continued security vulnerabilities on social media, mobile devices, and with the rapidly growing “Internet of Things” (like smart TVs, cars, medical devices, etc.), and it’s clear the problem is growing exponentially.
According to the Washington Post –
“More than 552 million identities (world-wide) were breached in 2013, putting credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, logins, passwords and other personal information into the criminal underground.” (The Washington Post, April 14, 2014).
And now the Open SSL Heartbleed Bug…
April, 2014’s shocking revelation about the Open SSL Heartbleed bug has caused widespread panic among users and business owners. It exposes half a million servers to attack (each server or application fix costing thousands of dollars), and by some estimates, has impacted as much as two-thirds of the entire internet. Undetected for two years, the bug quietly undermined the basic security of the Internet by leaving a gap in OpenSSL, a universal encryption technology used widely by businesses to protect sensitive data.
If you haven’t already changed your passwords on Google, Yahoo, Facebook and other affected major service providers, we highly recommend you do so. However, be aware that skilled hackers may be able to use the bug to create fake websites, closely resembling legitimate ones, to try to trick you into disclosing your personal information. Changing your passwords cannot protect you if you share them with a hacker pretending to be one of your service providers.
Heartbleed’s fallout in the weeks ahead
The Heartbleed fix will ultimately impact hundreds of thousands of sites, most of which have yet to take action. As a result, data-heavy certificate revocation lists are going to flood the internet with new entries. This means that checking a site’s identity will take significantly longer, potentially slowing down the entire internet.
Some initial steps to protect your business and vital personal information
As a business owner, your credibility with customers requires that you take action to patch your OpenSSL software as quickly as possible.
Advice for businesses
- Check your current version of OpenSSL and either:
- Recompile your OpenSSL without the heartbeat extension.
- Update to the latest fixed version of the software (1.0.1g) if you are using OpenSSL versions 1.0.1 through (and including) 1.0.1f.
- After moving to a fixed version of OpenSSL, contact the certificate’s issuing Certification Authority for a replacement.
- Finally, businesses should reset any end-user passwords that may have been visible to hackers in a compromised server memory.
Advice for consumers
- When an internet service provider sends you notice to change your password, contact them by phone to make sure the request is legitimate.
- For now, stick with reputable websites and services that have most likely already have addressed the vulnerability.
- Carefully monitor your bank and credit card statements to check for any unusual activity.