With all of the recent publicity about the “Heartbleed Bug,” senior living leaders are asking two key questions: “What does it all mean?” and “What do I need to do about it?”
To help you answer these important questions, we went to a highly authoritative source in the IT world – SageAge Strategies’ Director of Technology and Online Marketing, Alex Boyce.
How did it get here?
According to Alex, the “Heartbleed Bug” is evidence of how a simple programming mistake can cause huge problems. First, it should be said that the Heartbleed bug is confined to a small window of versions of the OpenSSL software that has been issued in the past two years. Through a push by security analysts to have server administrators update their security software, a large portion of web servers running OpenSSL were upgraded within this two-year period. So it’s one part bad programming, one part bad timing.
What exactly is it?
The OpenSSL software, in which the bug occurs, made some improvements in version 1.0.1 that allowed the secured connections between the server and the browsers to remain open while keeping the connection secure. This feature, called the TLS heartbeat, is where the bug occurred and from where the ‘Heartbleed Bug’ gets its name.
The TLS heartbeat is simply a way for the web browser to communicate with the web server, letting the web server know that the connection should be kept open. The web browser would send a short message to the web server and the web server would send the same message back. As long as the message was the same, the connection would remain open. If it wasn’t, the browser would end the connection based on the assumption that something had compromised the connection in between.
Which brings us to the problem.
It should be known that any time a computer has to process information, a buffer must be created. A buffer is computer memory set aside for the purpose of holding information. If the buffer is too small, the data the computer wants to hold on to will be cut down to the size of the buffer. If the buffer is too big, it can seep over into memory that is already being used, allowing the information in that region of the memory to be accessed by the oversized buffer, which can allow important information to be available where it should not be.
In most cases, a check is put in place to ensure the buffer is the correct size and will prevent too small or too large of a buffer to be used. In the case of the TLS heartbeat, no check had been put in place, allowing calls to the server to exploit the buffer.
This is best expressed in the form of a conversation:
Web Browser: Server are you there? If so, respond with “bird (4 characters)”
Web Server: bird
Web Browser: Server are you there? If so, respond with “potato (6 characters)”
Web Server: potato
Web Browser: Server are you there? If so, respond with “snail (500 characters)”
Web Server: Snail Lucas’ password is “lunch” Bob accessed the directory “/blue” at …
As you can see, if the buffer is too big, it can return information to the web browser that shouldn’t be seen outside of the server.
The fix was simple and quick to implement. Two simple lines of code were put in place to check and make sure that calls such as ‘Snail (500 characters)’ were exited from and the connection closed.
How extensive is the damage?
So now you’re saying, how can two lines of code cause so much damage? Well it can! Luckily, the damage has been minimized. As soon as it was found out, a fix was issued and the system administrators for all the big companies that use OpenSSL installed it and everything was made better. Companies like Facebook, Google, Twitter, Pinterest, etc. have issued emails alerting users to change their passwords. Just to be safe they all issued new security certificates.
Not everyone who uses OpenSSL was under threat. As long as a server wasn’t using any of the affected versions, all is safe. SageAge Strategies websites and client accounts are all safe and secure because we hadn’t been using any of the affected versions of OpenSSL. SageAge keeps a close eye on security.
What you should do
First, check to make sure the sites you have accounts with have fixed their heartbleed problem. You can do so with this link: https://lastpass.com/heartbleed/. If the site has fixed this issue, then I would recommend changing the password, but only if the site uses OpenSSL. The Heartbleed checker will tell you if the site does or does not use OpenSSL. All social media sites have already issued a statement recommending the change of passwords. All in all, changing your password is simply a precaution. The chances of someone actually getting your password from these high traffic websites is very slim. The maximum buffer length that can be exploited is 64KB, which, in terms of text, is of considerable size, but with relation to the amount of traffic, there’s not much of a chance for someone to capture the required information to access your account. If your account hasn’t been jeopardized by now, chances are it won’t be. However, in the security world, we take no chances, which is why the password change has been recommended.
About SageAge Strategies
For over two decades, SageAge Strategies has specialized in best-practice operations management, strategic marketing and business growth designed to help the senior living and senior care industries stimulate sales in existing markets, while establishing a presence in new ones. An LTC LINK Elite award winner, we are a leading resource for marketing, operations, fund development, consulting and training services for growth-oriented senior living providers.
As mature market growth experts, we differ from advertising and communications agencies that operate in the senior living space. Unlike them, we know your business inside out. Many of our consultants are former senior living executives who are supported by our award-winning marketing, design, website, fund development and social media experts. We know the senior living market and we know where the market is moving.
A nationally recognized boutique firm, we have a reputation rooted in personalized client service, creativity, integrity, accountability – and success. Our focus is on developing solutions that maximize growth and return on investment. The result: effective lead generation, sales growth and customer retention.
When you partner with us, there is no learning curve. The senior living industry has been our exclusive focus since we opened our doors nearly three decades ago. At SageAge Strategies, our purpose is to become a trusted counselor and advisor. We believe our client-partner relationships transcend individual marketing campaigns and sales initiatives with something we believe is even more valuable – critical insight, information and innovation.
If we can be of service, please visit us online at https://www.sageage.com/ or call us at 570-601-1720.