Local businesses struggle to make sense of Heartbleed flaw

News poured in last week that was hard to decipher for those not up-to-date on technological lingo or Internet security gaps.

Something bad—really bad—called “Heartbleed” potentially had compromised supposedly secure information across pretty much the entire Internet, business owners and managers learned. But explanations were confounding.

A week after reports of Heartbleed first emerged, companies around Indianapolis—especially small ones without their own information technology teams—are still trying to make sense of the problem that went unnoticed for close to two years and potentially exposed droves of Internet users’ personal information.

Chris Wardrip, CEO of Financial Health Federal Credit Union in Indianapolis, admitted he didn’t know what to make of a lot of the explanations he heard. He just knew there was a problem and he’d better fix it.

“I’m not a technology expert,” he said, noting his credit union doesn’t have its own IT department.
 
“It seems like every new thing that comes up has a new twist," he said. "If you’re concerned about customers’ information, the prudent thing is to do enough research to understand whether you’re in jeopardy and reach out to the experts.”

The credit union decided it had better at least ask an expert, so it turned to an outside IT firm and its web host. Everything was safe, Wardrip was assured.

Even relatively simple explanations of Heartbleed can make one's head spin. Here's an attempt from Codenomicon, one of the firms that discovered the problem:

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Internet security companies and news outlets blitzed the Internet with warnings and guides on how to address Heartbleed. Recent reports say the vulnerability could affect mobile devices, and that many of the tools used to detect the flaw are themselves flawed.

A commonly used technology called OpenSSL protects personal information and online communication—anything from online sales to email messages. But there was a vulnerability that, in effect, exposed that information to anyone who knew how to exploit the flaw.

Major corporations, with expansive IT and security departments, issued statements that they fixed any problems—or didn’t have them at all.

Spokespeople for major Indianapolis companies contacted by IBJ said they had experienced no complications.

Some, such as Angie’s List and Interactive Intelligence Group Inc., said they checked into the problem and found no issues with vulnerability.

Others, such as WellPoint Inc., don’t use OpenSSL, allowing them avoid the complication.

Duke Energy Indiana found no issues, but is keeping a close eye on its system.

“As a general good practice, we encourage our employees and customers to change account logon information frequently to help minimize the risk of personal information getting into the wrong hands,” Angeline Protogere, a spokeswoman for the utility, said in an email.

Even if a company using OpenSSL patched Heartbleed, it probably wouldn’t know if someone used the flaw to steal customers’ information, said Steve Myers, an associate professor of computer science and informatics at Indiana University.

“There’s very little reason to suspect that if people were attacked that there are any logs of it,” said Myers, who is also a senior fellow at IU’s Center for Applied Cybersecurity Research.

For most small business websites, any issues would be on servers owned by companies hosting the websites—businesses such as GoDaddy or DreamHost, said Kim Brand, owner of Indianapolis IT services firm Computer Experts.

Business owners who haven’t already checked to see if their website is vulnerable should check on testing sites. Codenomicon posted a questions-and-answers guide with additional resources on how to address the vulnerability if there is one.

If there’s a problem, they need to check in with their web hosts about patching the vulnerability, said Mike Cowper, a member of the Indianapolis Metropolitan Cyber Defense Force.

The only small businesses that would be at risk, he said, would be the ones that conduct some form of electronic commerce or collect personal information on customers, Cowper said. For exmple, a restaurant that only posts menus on its website doesn’t have much to worry about.

A lot of advisories for Internet users suggest changing passwords for the websites they frequent. But that's only effective after a website has patched the problem. Otherwise, new passwords on vulnerable websites could feed the new information directly to prying eyes.

The bigger risk for a lot of local companies, Brand said, is not whether their own websites are at risk. Rather, the problem more likely would be on websites that employees visit while at work. Like any other Internet users, companies need to make sure their staffers are using safe websites.

Brand understands why local businesses have been so flabbergasted by Heartbleed. The city largely is filled with small businesses that don’t have the technological resources to handle the problem themselves.

“From the perspective of an average business guy, they don’t know that they had a problem,” he said. “All they can do is be afraid.”