IBJNews

Local businesses struggle to make sense of Heartbleed flaw

Back to TopCommentsE-mailPrintBookmark and Share

News poured in last week that was hard to decipher for those not up-to-date on technological lingo or Internet security gaps.

Something bad—really bad—called “Heartbleed” potentially had compromised supposedly secure information across pretty much the entire Internet, business owners and managers learned. But explanations were confounding.

A week after reports of Heartbleed first emerged, companies around Indianapolis—especially small ones without their own information technology teams—are still trying to make sense of the problem that went unnoticed for close to two years and potentially exposed droves of Internet users’ personal information.

Chris Wardrip, CEO of Financial Health Federal Credit Union in Indianapolis, admitted he didn’t know what to make of a lot of the explanations he heard. He just knew there was a problem and he’d better fix it.

“I’m not a technology expert,” he said, noting his credit union doesn’t have its own IT department.
 
“It seems like every new thing that comes up has a new twist," he said. "If you’re concerned about customers’ information, the prudent thing is to do enough research to understand whether you’re in jeopardy and reach out to the experts.”

The credit union decided it had better at least ask an expert, so it turned to an outside IT firm and its web host. Everything was safe, Wardrip was assured.

Even relatively simple explanations of Heartbleed can make one's head spin. Here's an attempt from Codenomicon, one of the firms that discovered the problem:

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Internet security companies and news outlets blitzed the Internet with warnings and guides on how to address Heartbleed. Recent reports say the vulnerability could affect mobile devices, and that many of the tools used to detect the flaw are themselves flawed.

A commonly used technology called OpenSSL protects personal information and online communication—anything from online sales to email messages. But there was a vulnerability that, in effect, exposed that information to anyone who knew how to exploit the flaw.

Major corporations, with expansive IT and security departments, issued statements that they fixed any problems—or didn’t have them at all.

Spokespeople for major Indianapolis companies contacted by IBJ said they had experienced no complications.

Some, such as Angie’s List and Interactive Intelligence Group Inc., said they checked into the problem and found no issues with vulnerability.

Others, such as WellPoint Inc., don’t use OpenSSL, allowing them avoid the complication.

Duke Energy Indiana found no issues, but is keeping a close eye on its system.

“As a general good practice, we encourage our employees and customers to change account logon information frequently to help minimize the risk of personal information getting into the wrong hands,” Angeline Protogere, a spokeswoman for the utility, said in an email.

Even if a company using OpenSSL patched Heartbleed, it probably wouldn’t know if someone used the flaw to steal customers’ information, said Steve Myers, an associate professor of computer science and informatics at Indiana University.

“There’s very little reason to suspect that if people were attacked that there are any logs of it,” said Myers, who is also a senior fellow at IU’s Center for Applied Cybersecurity Research.

For most small business websites, any issues would be on servers owned by companies hosting the websites—businesses such as GoDaddy or DreamHost, said Kim Brand, owner of Indianapolis IT services firm Computer Experts.

Business owners who haven’t already checked to see if their website is vulnerable should check on testing sites. Codenomicon posted a questions-and-answers guide with additional resources on how to address the vulnerability if there is one.

If there’s a problem, they need to check in with their web hosts about patching the vulnerability, said Mike Cowper, a member of the Indianapolis Metropolitan Cyber Defense Force.

The only small businesses that would be at risk, he said, would be the ones that conduct some form of electronic commerce or collect personal information on customers, Cowper said. For exmple, a restaurant that only posts menus on its website doesn’t have much to worry about.

A lot of advisories for Internet users suggest changing passwords for the websites they frequent. But that's only effective after a website has patched the problem. Otherwise, new passwords on vulnerable websites could feed the new information directly to prying eyes.

The bigger risk for a lot of local companies, Brand said, is not whether their own websites are at risk. Rather, the problem more likely would be on websites that employees visit while at work. Like any other Internet users, companies need to make sure their staffers are using safe websites.

Brand understands why local businesses have been so flabbergasted by Heartbleed. The city largely is filled with small businesses that don’t have the technological resources to handle the problem themselves.

“From the perspective of an average business guy, they don’t know that they had a problem,” he said. “All they can do is be afraid.”

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in IBJ editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT

facebook - twitter on Facebook & Twitter

Follow on TwitterFollow IBJ on Facebook:
Follow on TwitterFollow IBJ's Tweets on these topics:
 
Subscribe to IBJ
  1. President Obama has referred to the ACA as "Obamacare" any number of times; one thing it is not, if you don't qualify for a subsidy, is "affordable".

  2. One important correction, Indiana does not have an ag-gag law, it was soundly defeated, or at least changed. It was stripped of everything to do with undercover pictures and video on farms. There is NO WAY on earth that ag gag laws will survive a constitutional challenge. None. Period. Also, the reason they are trying to keep you out, isn't so we don't show the blatant abuse like slamming pigs heads into the ground, it's show we don't show you the legal stuf... the anal electroctions, the cutting off of genitals without anesthesia, the tail docking, the cutting off of beaks, the baby male chicks getting thrown alive into a grinder, the deplorable conditions, downed animals, animals sitting in their own excrement, the throat slitting, the bolt guns. It is all deplorable behavior that doesn't belong in a civilized society. The meat, dairy and egg industries are running scared right now, which is why they are trying to pass these ridiculous laws. What a losing battle.

  3. Eating there years ago the food was decent, nothing to write home about. Weird thing was Javier tried to pass off the story the way he ended up in Indy was he took a bus he thought was going to Minneapolis. This seems to be the same story from the founder of Acapulco Joe's. Stopped going as I never really did trust him after that or the quality of what being served.

  4. Indianapolis...the city of cricket, chains, crime and call centers!

  5. "In real life, a farmer wants his livestock as happy and health as possible. Such treatment give the best financial return." I have to disagree. What's in the farmer's best interest is to raise as many animals as possible as quickly as possible as cheaply as possible. There is a reason grass-fed beef is more expensive than corn-fed beef: it costs more to raise. Since consumers often want more food for lower prices, the incentive is for farmers to maximize their production while minimizing their costs. Obviously, having very sick or dead animals does not help the farmer, however, so there is a line somewhere. Where that line is drawn is the question.

ADVERTISEMENT