On April 7 a serious security vulnerability (CVE-2014-0160), code name Heartbleed, was disclosed in the OpenSSL library. Like much of the internet, I responded to this critical issue by conducting a security review of our servers to ensure my friends and clients are safe.
I can say with certainty, that none of your information has been exploited by this security vulnerability.
Why we were not affected:
Multiple things have to line up in order for this bug to lead to successful exploitation:
- The site has to implement SSL in the first place – no SSL means no OpenSSL means no Heartbleed bug.
- The site has to be running OpenSSL. That rules out a significant chunk of the internet, including most IIS websites.
- The OpenSSL version has to be somewhere between 1.0.1 and 1.0.1f; anything older or newer and the bug isn’t present.
- An attacker needs to have had access to an at-risk environment somewhere between learning of the bug and it being patched by the provider.
- If all these things line up, there must have been something useful and retrievable from memory at the time of the attack. That’s highly likely in all but the most dormant sites.
OpenSSL is free open source software. The developers that run the project don’t have a lot of money or time to continue updating it. We have been running version 1.0.0 since March 2010. That is to say, we were running an older version of openSSL, one before the bug was introduced.
I have since upgrade Web Hive’s servers to the latest version of openSSL so we are secure against any future attacks of this kind.
If you own a website with another hosting provider, be sure to update all of your passwords to be safe. If you have SSL certificates for eCommerce and you’ve been affected by ‘heartbleed’, you will need to have your certificates re-issued before revoking the old ones (yes, this would mean buying new certificates), but only after the vulnerability has been patched by an update to openSSL on that server.
If you would like more information about the Heartbleed bug, you can visit: http://heartbleed.com/
All the best,