A critical new online security exploit dubbed ‘Heartbleed’ was announced on Monday night after being discovered by a member of the Google security team.  The vulnerability is widely considered to be one of the most serious security flaws in the history of the internet and has been potentially exploitable since December 2011. Heartbleed affects the coding used to secure websites (the https:// part of a secure web address), which is estimated to be used in more than 60% of all secure                                    websites around the world.

Heartbleed works by intercepting the ‘heartbeat’ component of the code that allows a server and client to maintain a connection, thus earning the exploit its name. The exploit allows an attacker to reveal the contents of a server’s memory, which can include private information like usernames, passwords, credit card numbers and contact details. It can also allow an attacker to impersonate the server they are compromising.

The good news is that there is already a fix available to resolve this issue and the majority of website hosts have already applied it, however it is also necessary for users to change their passwords before the security of their personal information can be assured.

 

What does this mean for STEP?

• STEP’s website host provider was vulnerable to this flaw however we have already taken action to ensure that all services provided to both members and staff are now secure
• Whilst the STEP site was vulnerable, we have no reason to believe we have suffered a breach of security
• We have also reached out to all our service providers and have confirmation that no breach was incurred on any of the sites they host

What does this mean for members? 

• As a precaution, STEP advises all members to change their password on our website
• We do not store credit card or payment information on our site, however we would like to take every precaution to ensure your security, this is especially important as many people reuse the same passwords across multiple websites
• Heartbleed has affected many websites; it is estimated that as many as 66% of all secure websites worldwide were affected
• The exploit requires fixing at two levels: firstly the hosts of a website need to apply a patch to fix the issue, which the majority of hosts have now done. Once this patch is in place, you should then change your password
• This applies to every website that you store sensitive information on (shopping sites, email and social media are the most common), not just the STEP site

Not all websites have made the necessary security changes. Until the host of a website resolves the issue, changing your password will not offer you any protection.  If you are unsure as to whether a site has applied the fix you can use this checker. You can also find a list of high profile UK websites and their statuses here and other popular websites here. If you use any of these websites you should change your password immediately.

Again, STEP has taken measures to protect the website and our members’ data from Heartbleed and there is no indication that it has been compromised. The most important thing to remember is to change your passwords on websites that have fixed the problem. If a website is yet to fix the problem, wait until it has done so before changing your passwords as they will still be vulnerable. If you have any queries about Heartbleed and what you need to do please feel free to contact me.

James Harris is STEP’s Information Technology Manager. For more information on cyber security, check out this article from the STEP Journal