Most articles discussing the Heartbleed bug's impact on public sector focus on Canada -- whose Revenue Agency took its tax filing site offline to safeguard taxpayer data -- but governments in the U.S. are not immune. Public-sector agencies that host sites containing citizen data are absolutely worried about the newly discovered vulnerability, says Jonathan Trull, chief information security officer for the Colorado Governor's Office of Information Technology.
"This is probably the most serious potential threat to confidential data I've seen since learning of the conficker worm back in November of 2008," Trull said in an email to Government Technology. "Public agencies are scrambling to test their sites, and if they determine they are vulnerable, they are working to immediately put in place compensating controls and ultimately fix the problem."
Password Change Required
If you have a Facebook, Google, Yahoo or Amazon Web Services account, it's time to change your password, according to Mashable's Heartbleed Hit List.
Don't worry, though, not all sites have been affected -- LinkedIn, Amazon and Microsoft accounts, for instance, are safe.
Check Mashable's hitlist to check the status of other popular websites.
Probably the most painful step, he said, will be determining whether all users of a vulnerable website need to change their passwords. "If that path is chosen, many people will be impacted."
When it comes to testing whether sites have been affected, two primary resources exist. The first is the specific "Heartbleed test," developed by Italian consultant Filippo Valsorda, who specializes in cryptography and security.
As is explained in the site's FAQs, the test sometimes delivers "false positives" for vulnerability. A user should not, however, receive an OK signal if there is actually a problem, according to the FAQs. The second, and perhaps more trusted, source to check Heartbleed vulnerability is the SSL (Secure Socket Layer) Test, provided by cloud security provider Qualys.
"I do not know the first site," Trull said, "but am very familiar with the company running the second ... they are a very reputable and highly qualified security company. You can absolutely trust the results at the Qualys site."
When a user inputs a website to determine if it's been affected by Heartbleed, the test sites perform a configuration analysis of the SSL certificate for the site, Trull says. Based on the results, which take less than a minute, the test will tell you whether or not your website is vulnerable and needs to be remediated for the Heartbleed vulnerability.
"For example, you can go to www.ssllabs.com/ssltest/ and enter a website, such as www.colorado.gov," Trull said "Once you hit 'submit,' the website's SSL certificate is tested for the flaw and provides you with the results. The tests, at least for the Qualys site, will be accurate and taken seriously."
For the record, Colorado.gov is not vulnerable to the Heartbleed threat.
Since news of Heartbleed broke, many security professionals have been saying that the "Internet is broken," Trull noted. "And we all need to get together as a community to fix it," he said. "Basically, SSL, which is broken, is the key fabric to creating trust and security over the Internet, which by itself is not secured."