360 Degree Cyber Security, LLC

What is Heartbleed?

What is Heartbleed?

What is Heartbleed?  No it is not a cardiac condition.  It is not a virus.  It is a programming flaw in OpenSSL that occurred in 2011.  Has the programming flaw been exploited?  Who knows.  However, it is a serious new IT vulnerability that is being called one of the largest if not the largest Internet security flaw in history.

To make it clear, this vulnerability has the potential for affecting just about everyone on the Internet that surfs the World Wide Web.  It can also affect your fire company.

Heartbleed is a vulnerability that is related to the secure connection (https) between your web browser and the website your viewing.  This vulnerability can provide a method for hackers to steal usernames and passwords with almost no method of detecting that it is occurring.

So why worry about his?  Many volunteer companies use a company to provide web services for not only external customers, but also for internal use by the members/employees of the company. The data on those servers maybe at risk of being stolen.  This is even more of an issue if you have personally identifiable information stored in the member’s only area. The vulnerability could lead to stolen identities.

The vulnerability can be found on websites that utilize OpenSSL as the method for securing that connection.  Security researchers in Finland and at Google found the bug in OpenSSL.  Many companies and websites that use OpenSSL are scrambling to patch the software.

Networking giants such as Juniper and Cisco are reported to have been affected by this bug.

Is there a test?  Here is a simple mechanism for testing whether your favorite site is affected.  Go to


https://www.ssllabs.com/ssltest/analyze.html  and enter the web address of the site you would like to test.  You will get a simple report card style grade back indicating if the site is affected.  As of this writing, Google received an A, Twitter and Facebook received an A-, and LinkedIn received a B (was a F on the 10th of April).

What can you do to protect yourself?

1.  Test the sites your visit frequently.  If you the site you use does not get a passing grade, I recommend avoiding that site until they do.
2.  Change all your passwords!
3.  Clear out the web browsers temporary storage also called cache.  Check out Ziff Davis Net for information on how to do this and other tips to be safe.

What can you do to protect your fire company website?

1. Test your website.  See what kind of grade they receive and if they are vulnerable to the the flaw.
2. Contact you web provider and find out if they are using OpenSSL to provide secure web browsing
3. Find out if they have patched yet, if not when
4. If they are not going to patch… Take your business elsewhere and find a new service provider!!!

Data compiled from various sources around the Internet.
Mashable – http://mashable.com/2014/04/10/heartbleed-programmer/
ZDNet – http://www.zdnet.com/how-to-protect-yourself-in-heartbleeds-aftershocks-7000028311/
Wall Street Journal – http://t.co/9GnqkajkVi
Forbes – http://www.forbes.com/sites/jameslyne/2014/04/10/avoiding-heartbleed-hype-what-to-do-to-stay-safe/

About the Author

Chris Wolski author

Chris Wolski is the founder and principle consultant of the small business and municipality focused cyber security firm 360 Degree Cyber Security, LLC. He is currently certified by International Information System Security Certification Consortium as a Certified Information Systems Security Professional and by the SANS Institute as a Global Industrial Cyber Security Professional. Active in the information security community, Chris volunteers his time at BSides Delaware and to various individuals seeking to be mentored in cybersecurity. He is frequently researching industrial devices to discover weaknesses that would present a problem for users of those devices. Chris obtained his start in cyber security in the U.S. Navy where he served in various information security and signals intelligence roles over his 20 year career. He left government service after serving in a position to develop cyber threat intelligence against industrial controls and later on the Joint Chiefs of Staff as a cyber incident handler. Chris has a Bachelor of Science Degree in Cybersecurity from University of Maryland University College and is currently pursuing a Master in Business Administration, also at the University of Maryland University College.

Leave a Reply