You have probably heard about the newly discovered Heartbleed vulnerability, widely considered to be one of the most widespread and potentially damaging security flaws of all time. Potentially being the operative word. There is currently no known hack or exploit of any system using this vulnerability.
The good news is that most internal networks and systems are not affected by the vulnerability. To our knowledge, Microsoft’s implementation of SSL does not have this vulnerability so Windows servers and Office 365 are not affected. In the few cases where they are affected, the only solution is to apply a software update once a fix is released. Fortunately, very few of the servers that Community IT manages are affected and we are in touch with those clients and remediating the situation as quickly as possible.
However, Heartbleed creates much larger potential problems for individuals and organizations in their use of Cloud-based services not managed by Community IT (online and hosted solutions).
For more technical information about the vulnerability, we include a list of articles below, although the best is probably this summary from the Washington Post.
What can I do?
There are really only two things that can be done:
1. Wait for a patch (ie. software fix) to be applied to any affected servers or services.
2. Change your passwords for any affected sites or services after they have been patched.
Changing your passwords prior to patching will not provide any benefit and could actually make things worse, now that the vulnerability is well known
Lessons learned
This incident does serve as a helpful reminder of the need for vigilance when dealing with IT security issues. Specifically, we recommend the following 3 IT security best practices:
First, we have long encouraged nonprofit organizations to patch their systems on a regular basis (ideally, every month). We have continually updated and improved our automated patching system for this very reason.
Second, we have also urged nonprofits to implement policies that require the use of complex passwords which should be changed every 3–6 months. Do not reuse passwords, and have a separate password for each system you use.
Finally, maintaining reliable data backups is critical to restoring information in the event of corruption or attack.
Unfortunately, this will not be the last bug or security flaw discovered. Making security a priority and following good security practices are the best methods for preventing exploit and attack.
Additional Resources
Summary from Washington Post
Thorough list of affected sites from Mashable along with tips for steps to take.
Technical description of vulnerability from Codenomicon, who helped discover it.
Exhaustive list of possible affected sites from Github
Site for testing vulnerability