The Heartbleed Bug – What’s going on!?

Image Source: Mashable.com

The internet is abuzz with reports on the Heartbleed Bug and how it could be one of the biggest security threats the Internet has ever seen. Earlier this week, security researchers announced a security flaw in OpenSSL (a popular data encryption standard) that gives hackers the ability to extract massive amount of data from the services that we use every day and assume are mostly secure. The bug has exposed the potential vulnerability on any machines powering services that transmit secure information, like Facebook and Gmail.

At LogicBoxes, we have already implemented remedial measures so as to secure the Businesses of our Partners from any further security threats due to this bug. In this blog post we’ll take you through:

• What is the Heartbleed bug?
• What steps are we taking?
• What steps should you be taking?

What is the Heartbleed Bug?

Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by majority of sites on the web to encrypt transmitted data that users want to keep secure. It basically gives you a “secure line” when you’re sending an email or chatting on IM. Encryption works by making the data that is sent, look like illogical to anyone but the intended recipient.

Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a “heartbeat,” a small packet of data that asks for a response.

Due to a programming error in the implementation of OpenSSL, the researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.

How bad is that?

It is really bad. Web servers can keep a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. This flaw, however, has worse implications as it makes it possible for hackers to steal encryption keys – the codes used to turn gibberish encrypted data into readable information. With encryption keys, hackers can intercept encrypted data moving to and from a site’s servers and read it without establishing a secure connection. This means that unless the companies running vulnerable servers change their keys, even future traffic will be susceptible.

What steps are we taking?

The security of our Partners and their customers is our top priority. We began addressing this issue immediately upon disclosure and have successfully applied patches to all of our platforms. The likelihood that private information was compromised is very minimal due to the lack of a public exploit at the time of the disclosure.

We have updated the OpenSSL packages installed on all our Linux shared hosting servers. We have also re-issued Digital Certificates on affected web servers after moving to a patched version of OpenSSL.

As always, we will continue to work to protect the security of our Partners and their data.

What steps should you be taking?

The Heartbleed bug makes it practically impossible to detect history of abuse, but to be on the safer side, we strongly recommend that you change your Account passwords and also notify your customers to change their passwords. Not just that, we suggest that you should also change your passwords at other 3^rd Party Services like Gmail, Facebook, etc.

For Partners selling Hosting and/or SSL certificates through us:

• If you / your customers have purchased both Hosting and SSL Certificates for an installation from LogicBoxes, follow steps 1 and 3 below
• If you / your customers have purchased Hosting from LogicBoxes and have SSL enabled on it with an SSL Certificate from a 3rd party vendor for your installation, follow steps 2 and 3 below
• If you / your customers have purchased SSL Certificated from LogicBoxes but host with a 3rd party provider, follow step 1 below and reinstall the Certificate according to the instructions of your hosting provider
  1. Re-issue the SSL certificate from the OrderBox control panel by referring to the steps mentioned in the following KB article : http://manage.logicboxes.com/kb/servlet/KBServlet/faq1094.html
  2. Contact the SSL Certificate vendor to re-issue the SSL certificate. Once the SSL certificates are re-issued, you will need to install the new certificates under the hosting packages
  3. Install the reissued SSL Certificate by following the instructions relevant to you from the below options:
     • For cPanel
     • For Plesk
• Also, partners reselling Hosting through us can use the force password reset option in WHM to ensure that all your hosting customers change their passwords

For Partners using LogicBoxes API:

We strongly recommend that you regenerate your API key by logging into your Control Panel and navigating to Settings >> API and clicking on the ‘Regenerate’ icon to get your revised API key. Update your API calls to use the new key.

Further Reading

• The Heartbleed Bug website – http://heartbleed.com/
• How to Protect Yourself From the Heartbleed Bug – Read Article
• The Heartbleed Hit List: The Passwords You Need to Change Right Now – Read Article

If you are a Logicboxes Partner and require any further information regarding the Heartbleed Bug, please feel free to get in touch your Account Manager.

That’s it for our update on the Heartbleed bug. Have something to add to this post? Do share it in the comments.

Amreen Bhujwala

Arsenal, Per Mertesacker and Product Marketing form the three core parts of Amreen’s day to day life. A former goalkeeper for a local football club, Amreen is one of the friendliest bookworms you’ll ever come across.