IBJNews

Local businesses struggle to make sense of Heartbleed flaw

Back to TopCommentsE-mailPrintBookmark and Share

News poured in last week that was hard to decipher for those not up-to-date on technological lingo or Internet security gaps.

Something bad—really bad—called “Heartbleed” potentially had compromised supposedly secure information across pretty much the entire Internet, business owners and managers learned. But explanations were confounding.

A week after reports of Heartbleed first emerged, companies around Indianapolis—especially small ones without their own information technology teams—are still trying to make sense of the problem that went unnoticed for close to two years and potentially exposed droves of Internet users’ personal information.

Chris Wardrip, CEO of Financial Health Federal Credit Union in Indianapolis, admitted he didn’t know what to make of a lot of the explanations he heard. He just knew there was a problem and he’d better fix it.

“I’m not a technology expert,” he said, noting his credit union doesn’t have its own IT department.
 
“It seems like every new thing that comes up has a new twist," he said. "If you’re concerned about customers’ information, the prudent thing is to do enough research to understand whether you’re in jeopardy and reach out to the experts.”

The credit union decided it had better at least ask an expert, so it turned to an outside IT firm and its web host. Everything was safe, Wardrip was assured.

Even relatively simple explanations of Heartbleed can make one's head spin. Here's an attempt from Codenomicon, one of the firms that discovered the problem:

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Internet security companies and news outlets blitzed the Internet with warnings and guides on how to address Heartbleed. Recent reports say the vulnerability could affect mobile devices, and that many of the tools used to detect the flaw are themselves flawed.

A commonly used technology called OpenSSL protects personal information and online communication—anything from online sales to email messages. But there was a vulnerability that, in effect, exposed that information to anyone who knew how to exploit the flaw.

Major corporations, with expansive IT and security departments, issued statements that they fixed any problems—or didn’t have them at all.

Spokespeople for major Indianapolis companies contacted by IBJ said they had experienced no complications.

Some, such as Angie’s List and Interactive Intelligence Group Inc., said they checked into the problem and found no issues with vulnerability.

Others, such as WellPoint Inc., don’t use OpenSSL, allowing them avoid the complication.

Duke Energy Indiana found no issues, but is keeping a close eye on its system.

“As a general good practice, we encourage our employees and customers to change account logon information frequently to help minimize the risk of personal information getting into the wrong hands,” Angeline Protogere, a spokeswoman for the utility, said in an email.

Even if a company using OpenSSL patched Heartbleed, it probably wouldn’t know if someone used the flaw to steal customers’ information, said Steve Myers, an associate professor of computer science and informatics at Indiana University.

“There’s very little reason to suspect that if people were attacked that there are any logs of it,” said Myers, who is also a senior fellow at IU’s Center for Applied Cybersecurity Research.

For most small business websites, any issues would be on servers owned by companies hosting the websites—businesses such as GoDaddy or DreamHost, said Kim Brand, owner of Indianapolis IT services firm Computer Experts.

Business owners who haven’t already checked to see if their website is vulnerable should check on testing sites. Codenomicon posted a questions-and-answers guide with additional resources on how to address the vulnerability if there is one.

If there’s a problem, they need to check in with their web hosts about patching the vulnerability, said Mike Cowper, a member of the Indianapolis Metropolitan Cyber Defense Force.

The only small businesses that would be at risk, he said, would be the ones that conduct some form of electronic commerce or collect personal information on customers, Cowper said. For exmple, a restaurant that only posts menus on its website doesn’t have much to worry about.

A lot of advisories for Internet users suggest changing passwords for the websites they frequent. But that's only effective after a website has patched the problem. Otherwise, new passwords on vulnerable websites could feed the new information directly to prying eyes.

The bigger risk for a lot of local companies, Brand said, is not whether their own websites are at risk. Rather, the problem more likely would be on websites that employees visit while at work. Like any other Internet users, companies need to make sure their staffers are using safe websites.

Brand understands why local businesses have been so flabbergasted by Heartbleed. The city largely is filled with small businesses that don’t have the technological resources to handle the problem themselves.

“From the perspective of an average business guy, they don’t know that they had a problem,” he said. “All they can do is be afraid.”

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in IBJ editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT

facebook - twitter on Facebook & Twitter

Follow on TwitterFollow IBJ on Facebook:
Follow on TwitterFollow IBJ's Tweets on these topics:
 
Subscribe to IBJ
  1. So much for Eric Holder's conversation about race. If white people have got something to say, they get sued over it. Bottom line: white people have un-freer speech than others as a consequence of the misnamed "Civil rights laws."

  2. I agree, having seen three shows, that I was less than wowed. Disappointing!!

  3. Start drilling, start fracking, and start using our own energy. Other states have enriched their citizens and nearly elminated unemployment by using these resources that are on private land. If you are against the 'low prices' of discount stores, the best way to allow shoppers more choice is to empower them with better earnings. NOT through manipulated gov mandated min wage hikes, but better jobs and higher competitive pay. This would be direct result of using our own energy resources, yet Obama knows that Americans who arent dependent of gov welfare are much less likely to vote Dem, so he looks for ways to ensure America's decline and keep its citizens dependent of gov.

  4. Say It Loud, I'm Black and Ashamed: It's too bad that with certain "black" entertainment events, it seems violence and thuggery follows and the collateral damage that it leaves behinds continues to be a strain on the city in terms of people getting hurt, killed or becoming victims of crimes and/or stretching city resources. I remember shopping in the Meadows area years ago until violence and crime ended make most of the business pack you and leave as did with Lafayette Square and Washington Square. Over the past 10 to 12 years, I remember going to the Indiana Black Expo Soul Picnic in Washington Park. Violence, gang fights and homicides ended that. My great grandmother still bears the scares on her leg from when she was trampled by a group of thugs running from gun fire from a rival gang. With hundreds of police offices downtown still multiple shootings, people getting shot downtown during Black Expo. A number of people getting shots or murdered at black clubs around the city like Club Six on the west side, The Industry downtown, Jamal Tinsley's shot out in front of the Conrad, multiple fights and shootings at the skating rinks, shootings at Circle Center Mall and shooting and robberies and car jackings at Lafayette Mall. Shootings and gang violence and the State Fair. I can go on and on and on. Now Broad Ripple. (Shaking head side to side) Say It Loud, I'm Black and I'm Ashamed.

  5. Ballard Administration. Too funny. This is the least fiscally responsive administration I have ever seen. One thing this article failed to mention, is that the Hoosier State line delivers rail cars to the Amtrak Beech Grove maintenance facility for refurbishment. That's an economic development issue. And the jobs there are high-paying. That alone is worth the City's investment.

ADVERTISEMENT