The Heartbleed Bug is a very serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows hackers to steal information that’s protected under normal conditions by the SSL/TLS encryption – the standard used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and their sensitive data. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Exploiting this bug leaves no traces of anything abnormal happening in your servers’ logs.
Breaking this down in non-technobabble – if you’re using SaaS vendors to help run your business, your email marketing lists, sales lists, and financial data are potentially at risk. If you have an online shopping cart, those transactions and cardholder data are potentially at risk.
How widespread is this?
Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66 percent according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software.
Any software using OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. The attack predominantly affects Linux and BSD based servers.
Is Merchant Warehouse Affected?
At this point, Merchant Warehouse does not believe that it is affected by the Heartbleed Bug. We have performed a comprehensive audit of our servers, Genius CEDs, security appliances, and peripherals. None of these are using an affected version of the OpenSSL library.
How to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. A fixed version of OpenSSL has been released and now it has to be deployed by your system administrators. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
Security experts recommend that System Administrators upgrade to the latest version of the OpenSSL library and also generate new SSL/TLS certificates, as there is no way to tell if their current certificates have been compromised.
You can use http://filippo.io/Heartbleed/ to check if your servers are potentially affected by this bug.
As a merchant, what should I do?
As a small merchant, you are probably using a number of SaaS solutions to run your business. Maybe you’re using Hubspot for your email marketing, Salesforce for your CRM, Google Docs, Shopify for your eCommerce shopping cart, and GoDaddy for your web hosting. It’s likely that your providers have reached out to you already to let you know if they were vulnerable, and what the next steps are. If not, please go to their websites – they probably have a blog post like this one telling you if they’re at risk, and what to do if they were.
One simple step you can do to mitigate your risk is to change your passwords on all of these sites. If your partners have patched the bug, a simple step like changing your password can help substantially limit your exposure.
At Merchant Warehouse, protecting customers’ data has always been our principal responsibility. With best-in-class solutions such as Genius, we help merchants minimize risk and secure their customers’ data. Genius significantly reduces merchants’ risk of data breaches by providing tokenization and point-to-point encryption (P2PE).