SECURITY ADVISORY: Heartbleed Security Bug
Does it affect me? Probably yes.
Heartbleed is a significant security bug and we recommend that you pay attention to advice from your application and IT vendors. Generally speaking, it has not affected IT systems belonging to our clients, but it may have impacted online services you use.
This includes Google (GMail etc), Facebook, Yahoo Mail, Amazon Web Services, Dropbox, PayPal, LogMeIn, GE Money, Coles Myer Card Accounts and other providers. About 17% of all secure web servers were potentially impacted by the bug for some period of time.
This does not mean that these sites WERE compromised. It means that there WAS A RISK that they were compromised between the period that the bug was discovered and the web servers were patched to remove the bug.
What is it?
Many websites encrypt the data that flows between the website and your computer, so the data (including usernames, passwords and other personal information) cannot be viewed by others. Many popular sites use an encryption technology called OpenSSL, which is a free product developed by the internet community.
To maintain the secure encrypted connection, your computer sends the website some data, and the website responds back to your computer. This is called a heartbeat.
The information that is returned is supposed to be the same amount of data that your computer sent to the site. However, OpenSSL contained a bug that allows a malicious hacker to send a heartbeat to the website with very little data, but tricking the website into returning a lot more than the original data.
This 'additional data' comes from the web servers memory. What this extra data contains depends on the particular system, but it may contain usernames and passwords from other users who have recently accessed the website.
Act prudently but don't panic - the risk of your specific data having been stolen is fairly small, but it is possible. Therefore, we recommend:
- Change your passwords to any of the systems mentioned above, or to any system where the vendor has recommended a password change (this is good practice anyway).
- Do not use the same passwords for different systems - if one is compromised, hackers can gain access to all of your other accounts.
- If any of your IT vendors make recommendations for updating your own IT infrastructure, speak to your IT support team for advice on how to proceed.