If you’re wondering whether all of the concern in the media regarding the recent Heartbleed vulnerability is real, I’d like to clarify what’s real, put it into perspective, and talk about how Best Attendance is affected.
First, yes, the vulnerability is real. Here’s some background on what it is. Many websites send data to your computer and back unencrypted, meaning that anyone with a modicum of computer networking knowledge, sitting between you and the website’s server, can potentially see everything you send it. The Hearbleed vulnerability does not affect these unencrypted websites.
Other websites, such as Best Attendance, your bank, Facebook, Gmail, and many others, encrypt their traffic before sending it. So even if someone were able to wiretap your connection, all they could see is gibberish, and it is effectively impossible for anyone to decrypt. Best Attendance uses this type of encryption (called SSL), and this is why your data with us is always safe.
Which Websites Were Affected?
There are a variety of software packages that websites can use to provide this encryption. One of the many choices is called OpenSSL, and it is this software that is vulnerable to the Hearbleed bug. Not all websites use this software, and those that don’t are not affected by Hearbleed. It has been reported that up to 66% of websites on the internet are running OpenSSL, but other data puts this number much lower.
Of the websites that do run OpenSSL, many of them are not vulnerable to Hearbleed. Only specific versions of OpenSSL contain the Heartbleed bug, so websites running older or newer versions of the software are not compromised.
However, many websites were running the version of OpenSSL that contained the Hearbleed bug. These include: Facebook, Instagram, Twitter, Pintrest, Tumbler, Yahoo, Dropbox, OKCupid, and many, many others. OpenSSL is a very popular library. Best Attendance was also affected.
What Does Heartbleed Do?
Essentially, the Heartbleed bug allowed attackers to trick websites into sending back more data than they were supposed to. Certain things, like user passwords and encryption keys, are never meant to leave the server, but with Heartbleed, some web servers were transmitting more information than they should have. Sometimes what the servers would send back was completely harmless, but there was a possibility that sensitive information could have been transmitted, depending on where certain data were physically stored in the computer’s memory. The attacker would essentially have to get lucky and hope that the information they were fishing for just happened to reside in an area of memory that got sent back to the attacker, after the server had been tricked.
Currently, there is no evidence that any websites were actually attacked. And if they were, there is no evidence that the extra information that the servers were tricked into sending back was anything but harmless. But since it is theoretically possible that sensitive information could have been compromised, website administrators are taking immediate mitigation measures.
What Is Being Done?
The problem can be easily solved in three steps:
1. Upgrade the OpenSSL software to the newest version, which fixes the Heartbleed bug.
2. Revoke old encryption keys, in case an attacker was able to obtain them, and replace them with brand new encryption keys.
3. Reset all user sessions so that everyone is forced to log in again.
Do I Need To Change My Password?
If an attack did occur, and if the server did send back sensitive information, and all of this happen while you were logging on to Best Attendance, there is a small possibility that your password could have been compromised. Of course it never hurts to change your password.
But as a technology professional, it’s my opinion that the risk of compromise is incredibly small. I am not changing my personal passwords on any of my accounts, because I don’t think the risk is that great. But like I said, it never hurts if you do want to change your password to something different.
Best Attendance has taken all steps to eliminate the vulnerability from the Heartbleed bug so that you can rest assured knowing that your data is safe, encrypted, and backed up daily.
Take Attendance Online
Best Attendance is the easiest way for organizations to share event calendars, take attendance, update membership rosters, and communicate online. Try it free for 45 days.