If the Canada Revenue Agency shuts its site because of a software security bug, then it must be serious. Heartbleed, a new and devastating bug discovered by security researchers, caused the CRA to take the public facing part of its website offline Wednesday. (See Investment Executive, Canadian online banking unaffected by Heartbleed: CBA, April 9, 2014.)
What is it, and why should financial advisors be worried?
> What Heartbleed does
Heartbleed is a security vulnerability in a piece of software used by at least two-thirds of the Internet: OpenSSL. This software provides secure access to web sites, using digital “keys” that are generally stored on a computing server.
The attack allows hackers to read a small amount of memory on the server, giving them a peek at the digital keys held in memory.
> What it means in practice
Heartbleed is the digital equivalent of giving someone a second key to your house. Anyone who grabs these keys can gain access to everything on the server, including administrative credentials, access to encrypted files and the ability to eavesdrop on secure communications.
It also enables attackers to gain access to user credentials, enabling them to impersonate that user. All financial advisors must log into web sites to conduct transactions for or on behalf of their clients. Now, you could find someone else pretending to be you, with potentially disastrous ramifications.
> What sites Heartbleed affects
The CRA’s site, for one. The same goes for banking services, social networking sites and many other sites you log into. Because OpenSSL is also used for a significant number of email, instant-messaging (IM) and some virtual private networks (VPNs), these communications could be affected, too. And if your own computer’s operating system software is not up to date, connecting to a compromised site could theoretically allow your own computer to be attacked too.
> How can we fix it?
The web sites have to fix it. There are later versions of OpenSSL that aren’t vulnerable to this bug, and if the sites were using these when you signed up, then you’re unlikely to be vulnerable.
But many sites will be vulnerable, and the first thing that has to happen is that they have to upgrade their OpenSSL software. They must also refresh all digital certificates that were stored on their sites, because they may have been compromised already.
> What should you do now?
You’ll need to assess the risk for any web site that holds your sensitive data, or that of your clients. Quickly make a list of which sites contain the most sensitive information, and start from there.
Contact each site to find out what their status is, whether they were vulnerable, whether they’ve been patched and whether they have changed their keys. Then, when you’re sure that this has been done, change your passwords, because if keys were compromised, then your passwords will have been, too.
Even if your service provider says that there is no evidence of a compromise, changing your passwords is important. The critical thing here is that the Heartbleed vulnerability is exploitable without leaving any trace that you were there. That means hackers could have stolen passwords without anyone knowing. It’s wise not to tempt fate, especially if you’re dealing with other peoples’ data as well as your own.
Some of the key linchpins of the web, such as Amazon (which runs lots of well-known web sites) have already patched and replaced their certificates, so things are improving.
But we’re not out of the woods yet. This is potentially the biggest single security flaw ever to have hit the Internet.