You may have heard a bit about Heartbleed recently. The announcement last week of a flaw in the open source software, which provides the SSL encryption for most of the biggest sites on the internet, sent many of us scrambling to update our servers.
The bug was caused by a pretty simple coding mistake – essentially just failing to validate some inputs – but the ramifications of this vulnerability were very serious. Under the right circumstances, an attacker could trick the server into revealing data which was held in the server’s memory. This could include usernames, passwords, and other sensitive data, but most dangerous of all, this could have led to the revealing of the private encryption keys which are used to protect the privacy and integrity of data that is transferred across the internet.
The patch to the OpenSSL software was quickly released, removing the cause of the vulnerability. But, because the integrity of encryption keys had been compromised, all security certificates had to be revoked, reissued, and installed on any affected server - after the patched version of OpenSSL had been installed.
What does this mean for me?
Our SMART platform (all accounts through the www.impactdata.com.au login portal) was unaffected by this bug. If you only use the Smart platform, you don’t need to do anything.
Our SQUAWKBOX platform uses OpenSSL to encrypt internet traffic, so it was affected by this bug. Thanks to the rapid response from technical team at Impact Data, working with our hosting provider, we were able to quickly roll out the security patches only hours after the bug was announced last Tuesday. Our security certificates were then revoked, reissued by the provider, and reinstalled.
The platform is up-to-date with the most recent security and encryption software, but there remains the possibility that your password may have been compromised before the security update was installed. As a precautionary measure, we advise that you change your password.