What is the HeartBleed Bug?
By now, many of you have likely heard of the HeartBleed Bug. The severity of this kind of breech has been described as an 11 on a scale of 1 – 10. Why is it so severe? You can read the official introductory text below:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
In Layman’s terms, it basically means that during the last two years, “Security” has been virtually non-existant, since governments or hackers could easily decrypt your private communications after retreiving the private key from the server. Did this happen? No one knows yet. To be on the safe side, the security community has pushed out patches, and is informing everyone of the evolving events.
Was WIConnect Affected?
First of all, a little technical overview of our network: all of our incoming traffic is passing through a Linux perimeter firewall/gateway, then getting routed and NATed (NAT stands for Network Address Translation) to your particular radio device, which then NATs the traffic to your LAN. (Local Area Network) Any traffic that does end up hitting your machine is already completely filtered. Even so, if we allowed unfiltered inbound traffic, it is likely that you would be unaffected, since this ‘bug’ only targets the OpenSSL libraries which serve to secure your data that is being transmitted to and from a ‘listening’ web service. Those OpenSSL libraries are more likely to be on the remote server that you would be connecting to; unless you are hosting your own secure services that are accessible from the Internet within your LAN.
Much more concerning, is the possibility of data breaches on your accounts that are publicly hosted on mainstream services such as Google / Yahoo’s servers, etc. Since the severity of the bug lies in the fact that the OpenSSL libraries release random contents of a server’s RAM, (Random Access Memory) an attacker can decrypt the secure keys of that service, and then use those keys to listen in on your private information as it travels to and from that machine.
What is Next?
WIConnect Wireless is committed to your privacy. We are still in the process of doing an in-depth security audit of our network, and have concluded the following so far:
- Our mailserver (mail.wicw.net) is unaffected by the bug
- Our secure payment portal is unaffected by the bug
- Our internal customer management software was affected, and has been patched
- Our client backup server was affected, and has been patched.
(However, since your backups are encrypted locally on your machine before they are uploaded, there is no concern that your encrypted data has been leaked.)