“Heartbleed” Bug – Antibiotics Won’t Help, Changing Passwords Might

“Heartbleed” Bug – Antibiotics Won’t Help, Changing Passwords Might

April 14, 2014

“Heartbleed” Bug – Antibiotics Won’t Help, Changing Passwords Might

By: Michelle Cohen

After recovering from high-profile data breaches at Target and Neiman Marcus, signing up for free credit monitoring and analyzing our credit reports, a new Internet villain recently emerged:  the “Heartbleed Bug.”  The Heartbleed Bug is a security flaw present on Open SSL, popular software run on most webservers.  This open source software is widely used to encrypt web communications.  The Heartbleed Bug affects approximately 500,000 websites, including reportedly Yahoo, OK Cupid, and Tumblr.  And, in addition to websites, the Bug may impact networking devices such as video conferencing services, smartphones, and work phones.

The danger of the Heartbleed Bug lies in its ability to reveal the content of a server’s memory. Then, the Bug can grab sensitive data stored in the memory, including passwords, user names, and credit card numbers.  Adding insult to injury, the Bug has existed for at least two years, giving hackers a huge head start.  News reports and some websites have urged users to change their passwords.  Others have warned individuals not to change their passwords until a website has indicated it has installed the security patch that “cures” the Bug.  Several sites offer tools to “test” whether an indicated website is vulnerable to the Heartbleed Bug, including one by McAfee. In terms of priorities, users should focus on sites where they bank, conduct e-commerce, e-mail and use file storage accounts.

Further intrigue comes from the fact that a recent Bloomberg report alleged that the National Security Agency (“NSA”) knew about the Bug for at least two years, but may have utilized the vulnerabilities to access information.  The NSA has denied it had knowledge of the Bug.

While we have yet to see a “rush to the courthouse” following the announcement of the Heartbleed Bug, we anticipate lawsuits and enforcement could follow where organizations do not act in response to the Bug by installing the necessary security patch.  Companies (including our clients in the Internet marketing and I-gaming industries) should investigate whether their websites, apps, or other services (such as cloud services) use Open SSL – then take immediate efforts to oversee the installation of the security patch.  Organizations should also advise users of the status of the Heartbleed Bug fix and encourage users to change their passwords, with different passwords across different services.

Michelle Cohen

Michelle Cohen

At Ifrah Law, Michelle’s practice focuses on helping clients establish powerful and enduring relationships with their customers and prospects while remaining compliant with state and federal law governing privacy and advertising laws and regulations.

Related Practice(s)
Other Posts
Telework: Businesses Need Smart Practices ASAP to Reduce the Threat of Data Security Incidents. Here’s the Quick and Dirty of Smart Practices
Mar 25, 2020

Telework: Businesses Need Smart Practices ASAP to Reduce the Threat of Data Security Incidents. Here’s the Quick and Dirty of Smart Practices

By: Nicole Kardell
Allowances Made for COVID-19 Don’t Mean Telehealth Providers and Employers Can Share Protected Information Without Consequences
Mar 23, 2020

Allowances Made for COVID-19 Don’t Mean Telehealth Providers and Employers Can Share Protected Information Without Consequences

By: Drew Barnholtz
Data Control of the People, by the People, for the People…
Nov 22, 2019

Data Control of the People, by the People, for the People…

By: Nicole Kardell
Equifax Settlement Teaches The Dos and Dont’s About Data Security
Jul 22, 2019

Equifax Settlement Teaches The Dos and Dont’s About Data Security

By: Nicole Kardell

Subscribe to Ifrah Law’s Insights