Privacy First Aid for Heartbleed

April 14, 2014

The Office of the Information and Privacy Commissioner has received a number of inquiries concerning the Heartbleed vulnerability. The following information is intended to assist organizations, public bodies and custodians in responding to Heartbleed. Tips for the public are also included.

Background

Heartbleed is a serious vulnerability or weakness in the popular OpenSSL cryptographic software library. This weakness can potentially lead to unauthorized access, disclosure and/or modification of information normally protected by SSL/TLS (Secure Socket Layer/Transport Layer Security) encryption. SSL/TLS is used for securing Internet communication.

OpenSSL provides communication security and privacy over the Internet for applications such as websites, email, instant messaging (IM) and some virtual private networks (VPNs).The Heartbleed vulnerability could allow unauthorized Internet users to compromise an OpenSSL secret key. The key can then be used to decrypt and access information such as user names, passwords and actual communication content.

Preventive measures for organizations, public bodies and custodians

  • Determine if your organization is implementing OpenSSL. If yes, then you are vulnerable to Heartbleed.
  • Disconnect the services from the Internet.
  • Determine if services running OpenSSL have been compromised.
  • Fix or patch the vulnerability.
  • If there was a compromise, change administrative passwords before bringing the services back online.
  • Advise users of the site to change their passwords.
  • If your organization is subject to Alberta’s private sector privacy law, the Personal Information Protection Act (PIPA), and you discover evidence that personal information under your control has been accessed or disclosed in an unauthorized manner, you have a duty to report this incident to the Commissioner if there is a real risk of significant harm to individuals. More information on reporting a breach can be found here: http://www.oipc.ab.ca/pages/PIPA/BreachNotification.aspx

Preventive measures for members of the public

  • Select and use strong passwords that contain a combination of upper and lower case letters and special characters, such as &, *, @, #, $, etc.
  • Avoid using one password for multiple sites.
  • Change your passwords regularly, for instance, every 90 days.
  • Configure your web browsers not to store passwords.
  • Keep your passwords confidential and store them securely.