As many as 10 percent of Australian businesses were affected by the recent Heartbleed attack, as security experts say Google “bungled” the entire situation. The bug, which makes sensitive data vulnerable to hackers, was first discovered in March by Neel Mehta of Google Security and then by security firm Codenomicon in April. The issue was only made public on April 7, after Google informed OpenSSL about it.
Its Impact on Australian Businesses
The security breach had a significant impact on Australian businesses and ordinary Internet users. In fact, one technology writer revealed in a post that 10 percent of 200 ASX-listed companies have been affected. That includes CERT Australia, the organization that is supposed to coordinate information about digital threats. Several GE Money sites were also among those vulnerable to attacks because of Heartbleed.
At least 500,000 sites have been discovered vulnerable. These include the Coles Mastercard and Mayer Card websites.
Data security is crucial to businesses. It’s important that companies can secure their customers data because, as one security expert puts it, Heartbleed is catastrophic. And since among the most critical businesses affected by security issues are banks, it’s important that clients are aware of the preventive measures their banks are implementing.
CNET Australia contacted several banks to find out what measures they’ve taken to protect customer data as well as advice on how they can ensure their data is secure. All the banks they talked with confirmed that their sites were not affected by the bug and most did not recommend customers change their passwords. CNET also talked to other major businesses like PayPal, Yahoo 7 and ANZ and got the same response. However, Yahoo 7 did not answer if customers need to change their passwords while ANZ recommended updating passwords regularly. GE Money says its customers’ data has not been compromised but also urged its customers to change passwords.
Websites Aren’t the Only Ones Affected
The impact of Heartbleed isn’t limited to websites. A Yahoo! news report said that it also affected equipment that connects to the Internet. That includes routers, firewalls, and switches. Because these products could contain the bug, it makes information —usernames, passwords, and credit card information — that’s passed through these equipment also susceptible to hacking. Cisco and Juniper, two of the largest creators of networking equipment, have confirmed this.
Changing passwords may not be enough to protect your data if the equipment is infected. While it’s easy to fix websites by installing updates, networking equipment needs to be repaired by makers.
Google Failed to Disclose the Issue Immediately
It’s a bold move for the two companies to be transparent about the issue. One security and computer forensics professor commends Cisco and Juniper for being upfront with clients, which can’t be said to most companies, like Google.
Google has received flak for the way it responded to the discovery of the bug. The search engine giant has patched its systems in March, weeks before news about Heartbleed became public. Furthermore, a handful of companies were also able to take counter measures earlier than most businesses.
Many felt that it failed to responsibly disclose the bug. IT security experts are calling it a selfish act. They felt that Google looked after its own interests first. And ordinary Internet users agree that there was a lack of responsible disclosure.
Many suspect that Google played favourites and deliberately withheld the critical information from rivals like Yahoo. Sites like Flickr and other Yahoo’s web services became vulnerable to the bug while Facebook, CloudFlare, and Akamai seemed to had a heads up and were able to patch their systems earlier than April 7, when the issue has been made public.
But what’s most interesting is news that Google allegedly didn’t inform the government about Heartbleed when it should. While it’s not surprising for companies to wait until they were able to patch their systems before they make any public announcement, keeping it from the federal government is another. Google’s delay could have resulted in making federal systems vulnerable to attacks.
According to a TIME article, the “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report.”
So What Can You Do?
Heartbleed will have lingering effects. Because it stayed undetected for several years, there’s no telling how much information was compromised and what hackers can do with that information. That’s bad for businesses.
It’s great that many companies have taken the necessary steps in minimizing the consequences of this bug but it’s even more important to take matters into your own hands. Be more proactive. Change and update passwords regularly and strengthen your IT systems. Having the right IT infrastructure is critical. It is your lifeline.
If you’re unsure about your company’s Internet security, contact Greenlight now. We can help make your IT systems updated, reliable, and secure.