How to mend your website’s Bleeding Heart?
It would seem that every time we turn around, there is yet another horrible security lapse in the Internet that will ruin the world. While many have been over-hyped as the Doomsday bug, this one is actually quite scary.
Dubbed, or “HeartBleed”, like a hole in your heart, this bug is a hole in a widely used encryption technology has given hackers a way to infiltrate many of the world’s largest websites and download sensitive information from servers without leaving a trace.
To complete the imagery, like the heart, this problem goes all throughout the body. We are all in this together – according to a recent Netcraft web server survey that looked at nearly 959,000,000 web sites, 66% of sites are powered by technology built around OpenSSL, a popular data encryption standard, and that doesn’t include email services, chat services, and a wide number of apps available on every platform. So there is no running from this.
It was only recently discovered by researchers at Google and they are scrambling to fix it. Trying to keep up track new security vulnerabilities is frustrating and many just give up, but you would want to pay attention to this one:
Here’s how it works:
When data is encrypted, it looks like gibberish to anyone except the intended recipient. From time to time, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a “heartbeat,” a small packet of data that asks for a response.
Due to a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.
The worst part of it is that this problem has been around for a dizzying 2 years – meaning that hackers have been exploiting this flaw undetected for that amount of time. In all likelihood, your website, databases, passwords, emails, credit card information and pretty much everything you hold dear in the Internet was available on a shopping spree for the malicious. Also, as part of OpenSSL, it is incredibly hard to track any wrong-doing. Just to top things off: This isn’t simply a bug in some app that can quickly be updated — the vulnerability is in on the machines that power services that transmit secure information, like Facebook and Gmail.
However, it is NOT yet the end of the world. The researchers who discovered the flaw let the developers behind OpenSSL know several days before announcing the vulnerability, so it was fixed before word got out yesterday. Most major service providers should already be updating their sites, so the bug will be less prevalent over coming weeks. The only thing to is to do nothing.
Even if your business is in the industries where privacy and security are of utmost concern, it is too late. You can change your password but you also got to accept that your data was accessed inappropriately. Your only remedy is to bite the bullet, and wait for your service provider to update the anti-virus / anti-theft patches.
Hackers must be upset that their secret backdoor is discovered. However, as we all know, the Internet is very forgiving and will give them another chance later on. Unfortunately, there is no way to prevent hacks. Though there is a possibility of recovering.
Backing up your website and databases is the measure you can take in the face of overwhelming Internet epidemics like HeartBleed. While backups do not mitigate the vulnerability, the fact that a site can be compromised and data deleted, stolen, or corrupted is cause for alarm to any site operator. With back ups, you are keeping different older versions of your site. You can revert to a previous version of your site that has yet to be compromised.
As mentioned, backup is not a cure but just a good solution to fight off the next infection. Your concern should not be whether or not to backup, it is more about who you should back up with. As security lapses and attacks comes in all shapes and forms, be sure that your backup provider has various tools in place to safeguard your data. Before the next flood of virus, lapses or problems plague the Internet again, it would be wise to prepare for it.