Reposted from the This Week in Nonprofit Fraud Blog – May 5, 2014
Spotlight on Security: The Heartbleed Bug
On April 7, 2014, an enormous technical vulnerability in the code designed to keep the Internet secure was revealed to the public. Nicknamed “Heartbleed,” this bug enabled hackers to freely steal passwords, encryption keys, and other private data from more than 500,000 different websites for as long as two years! This type of vulnerability is what’s known as a “zero-day exploit,” meaning that even the company who programmed the software involved doesn’t know that there is a problem. Until it is disclosed to the company for it to be fixed, hackers can freely take advantage without anyone being the wiser.
Heartbleed has been called, arguably, the worst Internet vulnerability of the information age. The code involved is one of the most popular methods of establishing secure connections on the internet; secure connections are represented by a tiny “lock icon” in your browser window. For organizations with supposedly secure websites, hackers were able to steal the information that is used to prove that a website is legitimate, meaning that they could create fake websites that appear to be the real thing to scam users into providing their personal information.
A patch was issued almost immediately for Heartbleed, but nobody can know whether the 500,000 vulnerable websites were actually attacked. Also, the patch isn’t exactly automatic – each organization needs to manually update their computer systems to make sure the vulnerability is removed. The good news for consumers is that not every website was vulnerable; for instance, banks tend not to use the code that contains Heartbleed. But there are a lot of major websites that were vulnerable; responsible websites have already corrected the issue.
So what does all this mean for you and me? Well, first, it means that we should refrain from providing any personal information – including passwords – on any website that has not patched the Heartbleed bug. There are several websites available to check an individual website’s vulnerability, including the LastPass Heartbleed Checker. Second, you should change your online passwords for any website that accesses high-value data (e.g. banking, email, file storage), but only after you’ve checked that the website isn’t still vulnerable to Heartbleed.
Lastly, the Heartbleed bug serves as a terrifying reminder of the importance of using good password practices online. Remember; never reuse a password on multiple websites, because if a hacker ever learns that password, it gives them free rein over all your accounts, instead of just one. It can be hard to remember so many different passwords, but there are Password Manager software tools available to help you stay secure. Make sure that every individual password you use is a strong one, that it isn’t made up solely of real words from the dictionary, and as always, be a smart Internet citizen – hold your passwords close to your heart!
See more on this issue at heartbleed.com; to check a website’s vulnerability, see the LastPass Heartbleed Checker; for a comparison of Password Manager software, see Lifehacker.
- It is impossible for any organization to perfectly protect itself from cyber security risks, since even the most diligent organization is still vulnerable to zero-day exploits like the Heartbleed Bug.
- Since every organization is at risk, organizations must have plans in place to deal with vulnerabilities when they are identified.
Raffa Forensic Practice Tips:
- Has your organization identified its information assets – those items which might be of interest to a hacker?
- Has your organization assessed its vulnerability to risks in the wake of the Heartbleed Bug, and addressed that vulnerability through steps such as requiring users to change their passwords?
DON’T BE THE NEXT VICTIM OF FRAUD!
The Raffa Forensic Accounting Services Practice offers a wide variety of fraud prevention and detection services including Fraud Risk Assessments, Background and Workplace Investigations, Fraud and Internal Investigations, Transactional Due Diligence Investigations, Anti-Fraud Consulting and Training, and Computer Forensic Analysis.
For more information on the Raffa Forensic Accounting Services Practice please visit us at www.raffa.com/ProfessionalServices/Forensic/ and the Nonprofit Fraud Prevention Institute at www.raffa.com/Fraud.
You can also contact the following Raffa professionals with any questions or if your organization needs assistance in fraud prevention: