Minimize Heartburn from Heartbleed

April 9th, 2014   /     /   smarter identity, security and compliance

Heartbleed

A vulnerability came to light Monday that affects a significant number of websites and services. Known as “Heartbleed,” this vulnerability affects certain versions of a technology used to encrypt data during transmission; OpenSSL. Aside from its catchy name and “logo”, its far reaching impact has captured the attention of the world, triggering thousands of articles, blog posts (including this one), and tweets. If you want a pretty good one stop source of information about the vulnerability, you can go to this website dedicated to it.

What has OneLogin done about Heartbleed?

OneLogin takes all security vulnerabilities very seriously. Once the vulnerability was published on Monday, we immediately checked and verified that our customer facing Web servers were not susceptible to this vulnerability. However, we did note that some of our backend servers were affected and needed to be patched, which we completed yesterday.

We have also taken the precautionary step of issuing new SSL certificates to provide our customers with the peace of mind in the unlikely case that the vulnerability in our backend servers was exploited. And finally, we are encouraging our customers to change their passwords not only for their OneLogin account, but also on other sites.

Heartbleed Beyond OneLogin

Heartbleed affects roughly two out of three websites out there. This means that websites and services that you log into on a daily basis; banks, online storage, SaaS solutions, social media, etc., are potentially vulnerable to it. The vulnerability is extremely potent in that a successful exploitation of it would enable an attacker to capture any data transmitting between you and that site. Think about it; your banking credentials, your social security number, your unique password that you only use on one… ahem two…ok maybe six or so websites. Virtually any information you pass to secured sites without thinking twice about.

You can check if a site is affected by the vulnerability here, but remember, if the site was previously vulnerable to it, your credentials might have already been compromised, so you should change those right away. If the site is still affected by it, you should avoid going to that site until it’s patched.

About the Author

Alvaro Hoyos leads OneLogin’s risk management, security, and compliance efforts. He also works with prospects, customers and vendors to help them understand OneLogin’s security, confidentiality, availability, and privacy posture and how it works alongside, or in support of, customer’s own risk management model. Alvaro has over 15 years in the IT sector and prior to joining OneLogin, helped startups, SMBs, and Fortune 500 companies with their security and data privacy compliance efforts. His commentary and articles have been featured in several publications, including CIO, CSO, Network World, Infosecurity, eWeek, and Help Net Security. Alvaro is a member of the Forbes Technology Council and has a B.B.A in M.I.S. and a M.S. in M.I.S. from Florida International University.

View all posts by Alvaro Hoyos