Here’s the thing: If they are talking about it in such general terms like “Not sure if we’ve been compromised”; “No way to tell if you’ve been effected”; “doing everything we can to remedy the problem” and “We’ve patched our servers, but other companies we interface with, might not have patched theirs”, then you should probably be a bit worried.
Raven Tools, a company whose services I utilize at a hefty fee each month was the first to notify me about the Heartbeat “hack” and the Heartbleed security risk. That email was sent out only a few days ago, with a couple of followup emails afterwards, prior to today.
Kudos to Raven for being the most forthcoming and reactive group I work with on a regular basis. I got some notification from Amazon; partners for web hosting; Lookout Mobile Security and a few others. But they keep trickling in.
Huffington post did an article on it today. This thing seems scary, but mostly because of what they aren’t telling us/you/me. We keep hearing that there’s no way to tell if you’ve been compromised. Well, that’s public information dissemination technique number 1. If you hear that, then you’ve been affected by this.
Now, most webmasters and bloggers probably won’t have a problem with this Heartbleed thing.
Why? Well, because unless you are the person with the deepest pockets, you probably aren’t going to be sued. The Heartbleed issue affects 75% or so of all web url communication. Which means that even IF YOU WERE ALLOWING AN EXPLOIT, you aren’t going to be in trouble for it. Sure, your customers are out of luck if their private data has been compromised as a result of your not knowing that your site certificates (or host’s certificates) had been compromised.
If you store customer data, you need to get with your service providers (think Amazon Cloud or AWS; GoDaddy) and the people whose API’s you tap into, and make sure they have patched the loophole. After that you need to request new certification to get your house in order.
Should you tell your customers? Sure, you could, but likely, someone with deeper pockets has already informed them. You might actually anger a few people if you do tell them. That doesn’t mean you shouldn’t. The fact is this: the more information we can disseminate, the better. It gives everyone an opportunity to fix what they can on their end.
Oh and this:
While I don’t believe that the providers (again, think Raven, Amazon, GoDaddy, etc.) are completely in the clear like many of them would like you to believe after they patched…Real bad people in Russia, China, Iran, Chicago, etc. are RIGHT NOW, trying their best to jump onto the bandwagon to exploit what they can on sites where there is a reasonable expectation that they can grab data, like Credit Card Numbers, names, addresses, etc.
Who’s at risk? The small guy. You. Me. Everyone.
Why? Because Joe Blogger with that cool e-book you purchased yesterday for $8.21 on a “warrior special deal” or something like that doesn’t know how to react quickly, or is working with a hosting company that cannot react fast enough to stop potential dangers.
You should be worried. Do what you can to implement best practices. talk with your service providers and talk with your customers; what could it hurt? A little reassurance never hurt anyone, right?
If you thought the Target Breach was bad…this is the calm before the storm. Let’s see how it plays out.
These are super basic notes, so plan accordingly.
If you don’t store customer data and use a “https” protocol, there is low likelihood that you will be affected negatively.
Basically Heartbleed works like this: as you send data over the “https” this can attach itself to the sending process and skim off data, as the process is completed. In the worst case scenario (which is really all that’s important) the encryption key that’s used to encrypt the data over the “secure channel” is shown to the “hacker”. If that happens, it could be very bad news, because then the data is available en masse. Essentially, that’s where the vault is left open for the thief to do what they want with the items inside.
Luckily, if your host, you, your webmaster actually knew what they were doing when they set up the “https” protocols, you are likely unharmed by this type of weakness.
That doesn’t mean you are in the clear though. Individual packets of information can still be harvested, EVEN IF YOU DON’T HAVE ENCRYPTION KEY BREACHES. Hence, the patching of the hole on the service provider’s side.
Here’s a video link that goes outside of this site to give you some information on the Heartbleed “Hack” (this is not my video, but it does simplify the concept well). HEARTBLEED EXPLANATION VIDEO
You can also go to the Heartbleed Website for some basic information: HERE
You can also go to the source HERE