IBJNews

Local businesses struggle to make sense of Heartbleed flaw

Back to TopCommentsE-mailPrintBookmark and Share

News poured in last week that was hard to decipher for those not up-to-date on technological lingo or Internet security gaps.

Something bad—really bad—called “Heartbleed” potentially had compromised supposedly secure information across pretty much the entire Internet, business owners and managers learned. But explanations were confounding.

A week after reports of Heartbleed first emerged, companies around Indianapolis—especially small ones without their own information technology teams—are still trying to make sense of the problem that went unnoticed for close to two years and potentially exposed droves of Internet users’ personal information.

Chris Wardrip, CEO of Financial Health Federal Credit Union in Indianapolis, admitted he didn’t know what to make of a lot of the explanations he heard. He just knew there was a problem and he’d better fix it.

“I’m not a technology expert,” he said, noting his credit union doesn’t have its own IT department.
 
“It seems like every new thing that comes up has a new twist," he said. "If you’re concerned about customers’ information, the prudent thing is to do enough research to understand whether you’re in jeopardy and reach out to the experts.”

The credit union decided it had better at least ask an expert, so it turned to an outside IT firm and its web host. Everything was safe, Wardrip was assured.

Even relatively simple explanations of Heartbleed can make one's head spin. Here's an attempt from Codenomicon, one of the firms that discovered the problem:

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Internet security companies and news outlets blitzed the Internet with warnings and guides on how to address Heartbleed. Recent reports say the vulnerability could affect mobile devices, and that many of the tools used to detect the flaw are themselves flawed.

A commonly used technology called OpenSSL protects personal information and online communication—anything from online sales to email messages. But there was a vulnerability that, in effect, exposed that information to anyone who knew how to exploit the flaw.

Major corporations, with expansive IT and security departments, issued statements that they fixed any problems—or didn’t have them at all.

Spokespeople for major Indianapolis companies contacted by IBJ said they had experienced no complications.

Some, such as Angie’s List and Interactive Intelligence Group Inc., said they checked into the problem and found no issues with vulnerability.

Others, such as WellPoint Inc., don’t use OpenSSL, allowing them avoid the complication.

Duke Energy Indiana found no issues, but is keeping a close eye on its system.

“As a general good practice, we encourage our employees and customers to change account logon information frequently to help minimize the risk of personal information getting into the wrong hands,” Angeline Protogere, a spokeswoman for the utility, said in an email.

Even if a company using OpenSSL patched Heartbleed, it probably wouldn’t know if someone used the flaw to steal customers’ information, said Steve Myers, an associate professor of computer science and informatics at Indiana University.

“There’s very little reason to suspect that if people were attacked that there are any logs of it,” said Myers, who is also a senior fellow at IU’s Center for Applied Cybersecurity Research.

For most small business websites, any issues would be on servers owned by companies hosting the websites—businesses such as GoDaddy or DreamHost, said Kim Brand, owner of Indianapolis IT services firm Computer Experts.

Business owners who haven’t already checked to see if their website is vulnerable should check on testing sites. Codenomicon posted a questions-and-answers guide with additional resources on how to address the vulnerability if there is one.

If there’s a problem, they need to check in with their web hosts about patching the vulnerability, said Mike Cowper, a member of the Indianapolis Metropolitan Cyber Defense Force.

The only small businesses that would be at risk, he said, would be the ones that conduct some form of electronic commerce or collect personal information on customers, Cowper said. For exmple, a restaurant that only posts menus on its website doesn’t have much to worry about.

A lot of advisories for Internet users suggest changing passwords for the websites they frequent. But that's only effective after a website has patched the problem. Otherwise, new passwords on vulnerable websites could feed the new information directly to prying eyes.

The bigger risk for a lot of local companies, Brand said, is not whether their own websites are at risk. Rather, the problem more likely would be on websites that employees visit while at work. Like any other Internet users, companies need to make sure their staffers are using safe websites.

Brand understands why local businesses have been so flabbergasted by Heartbleed. The city largely is filled with small businesses that don’t have the technological resources to handle the problem themselves.

“From the perspective of an average business guy, they don’t know that they had a problem,” he said. “All they can do is be afraid.”

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in IBJ editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT

facebook - twitter on Facebook & Twitter

Follow on TwitterFollow IBJ on Facebook:
Follow on TwitterFollow IBJ's Tweets on these topics:
 
thisissue1-092914.jpg 092914

Subscribe to IBJ
  1. Here are a few candidates for this new group, "ripped from the headlines." First up, that bizzaro State Senator Brent Waltz; secondly, the unethical Todd Huston, and his contractual arrangements scheme; Finally, but not least of all, the dishonorable Eric Turner. What sayeth you Greg Zoeller?

  2. Good day. I can't hide this great testimony that take place in my life I will love everyone to know it and be partaker that is why I always place it on answer, I am Mrs,Natalie Cuttaia by name, I live in Texas, United State Of America, I want to thank (Mr.Bruce Brandon) for his kindness upon my family life. I never knew that there is still nice lender like this on internet and earth here. Just some Months Back, I was in search for a loan of $100,000,00 as I was running out of money for feeding and rent. I was scammed $6,800 Dollars and I decided not to involve my self in such business again but a Friend of my introduced me to a loan firm due to my appearance and doings. And I told him that I am not interested of any loan deal anymore but he told me that there is still a nice lender who he will recommend me to, and I made a trial and I am most grateful lucky am I today, I was given a loan amount of $100,000.00usd, by this great Company (Bruce Brandon Loan Company) managed by (Mr.Bruce Brandon) If you are in need of a genuine or legit loan or financial assistance and you can be reliable and trusted of capable of paying back at the due time of the funds I will advice you to, contact him via: ( bruce.brandon071@gmail.com ) And you will be free from scams in the internet. All thanks to Mr.Bruce Brandon You are the one who remove me and my family out of poverty. The reason why i am doing this is that, i promise Mr.Bruce Brandon that if i truly got my loan, i will advertize his company and bring customers to his company. Contact him via ( bruce.brandon071@gmail.com )for the Loan you have been looking for..

  3. Hello, We are firm Organization formed to help people in needs of helps,such as financial help. So if you are going through financial difficulty or you are in any financial mess,and you need funds to start up your own business,or you need loan to settle your debt or pay off your bills,start a nice business, or you are finding it hard to obtain capital loan from local banks,contact us today via email mrsroseberrywilkinsfunds.usa@gmail.com So do not let these opportunity pass you by because Jesus is the same yesterday, today and forever more. Please these is for serious minded and God fearing People. Your Name: Loan Amount: Loan Duration: Valid Cell Phone Number: Thanks for your understanding to your contact as we Await Regards Management Email:mrsroseberrywilkinsfunds.usa@gmail.com

  4. The question is, where could they build a new stadium? It seems in the past year, all the prime spots have been spoken for with potential projects. Maybe in the industrial wasteland area a block past Lucas Oil? I think it needs to be close to the core, if a new stadium is built.

  5. Aldi is generally a great shopping experience. Still, I'm sure YOU wouldn't want to shop there, which I consider a positive.

ADVERTISEMENT