Heartbleed: What it is and how it affects you

Heartbleed is likely the most serious Internet security threat to date. Here’s what you need to know.

What the term Heartbleed refers to is a bug in the code for OpenSSL. This code, which is thousands of lines long and has been written and rewritten by several people over the years, is a widely used cryptographic library. When a user logs into a website that uses OpenSSL (or another method of security), the browser “talks” with the website to make sure it’s a legitimate website; for example, typing in “www.ncra.org” actually leads the user to the main website for the National Court Reporters Association and not a pretender. Secure websites are noted with the “https” before the address or sometimes an icon of a lock.

The Heartbleed bug allows a hacker to access communication between the user and the website, which could include sensitive information like passwords, credit card numbers, contact information, etc.

Companies and websites affected by Heartbleed need to change the problem on their end. Once an affected company has made their necessary security changes, they should alert you to change any passwords. Changing a password immediately will not solve the problem if the company has not been able to solve things on their end. However, after a week, it should be safe to change passwords that haven’t been flagged.

For now, avoid going to websites that have access to secure personal information, like a bank website. LastPass and the Heartbleed test can also help you determine if a specific website is vulnerable or not. Mashable has also put together a chart showing if popular websites have been affected and whether passwords need to be changed.

Check with your firm, court, school, etc. to see what they recommend for keeping private client information secure when electronically transferring information.

NCRA is checking in with our vendors on this issue and making sure that things are safe on our end. We will pass on any additional information when we can (you can access that list here).

Many news sites are publishing information on Heartbleed, including NPR.

NCRA vendors’ response to Heartbleed

NCRA has contacted our vendors to check on their online security. Our previous post on Heartbleed is here. Here are the responses so far:

Advantage Software:

Advantage Software has confirmed that Heartbleed is not a threat to its website. The connect.eclipsecat.com server that handles keyless licenses, shared documents, and realtime sessions likewise is not vulnerable since Advantage does not use the feature of OpenSSL that includes the Heartbleed vulnerability.

Depobook:

DepobookProducts.com and Depobook.com websites are safe and secure.  According to the company, their servers were not running the vulnerable version of OpenSSL.

LiveDeposition:

LiveDeposition.com reports that its website is secure.

Martel:

Level 1 PCI compliance protects Martel store from hackers. Martel store transactions are automatically PCI compliant, and its entire network is independently audited against stringent PCI security standards every three months. Martel is on the lists of PCI-compliant providers for both Visa and MasterCard.

OMTI/ReporterBase:

Both omti.com and its customer portal (support.omti.com) are secure and safe from the Heartbleed bug. In addition, and of particular interest to ReporterBase users who have RB Web subscriptions, the RBWeb servers are not run on Apache and nginx servers; therefore, the website will not be affected by the bug. RB Web uses SSL but not OpenSSL, which is where the bug is present.

Pengad:

Pengad’s servers were patched within a few hours of the vulnerability being announced, according to the company. The large majority of the company’s servers were not vulnerable to this attack, as they run versions of the OpenSSL software that did not have the Heartbleed bug in them. Pengad’s main website, www.pengad.com, is patched and up to date.

ProCAT:

ProCAT.com and MyProCAT.com do not use the OpenSSL that is affected with the Heartbleed vulnerability.

RPM:

RPM’s servers were not affected by the Heartbleed bug.

StenEd:

StenEd was not affected by the Heartbleed defect.

Stenograph:

Stenograph confirms that there are no security concerns for anyone shopping on the Stenograph site. We do not use Open SSL as the method to secure personal or financial information, so our websites are not (and were never) at risk from Heartbleed.

Stenovations:

Stenovations’ websites were not affected by the Heartbleed bug. Stenovations uses PayPal, which was not affected, as its payment processor. They also include this list of tips for Internet security:

  • Make sure each website has a unique, difficult to guess password.
  • If a website offers “Two-Factor Authentication”, turn it on.
  • Install updates for your computer and applications when they become available.
  • If required, use a secure password manager such as LastPass or KeyPass.
  • A longer password that you can remember is often better than a shorter one that you can’t.

StreamText:

StreamText.Net was not affected by the defect.

YesLaw:

YesLaw and YesLaw Online servers were not affected by the Heartbleed defect.

 

This page will be updated as new information comes in.