Heartbleed Virus Gets to the Heart of Identity and Access Management

When a virus has its own website you know its bad. The Heartbleed virus is on us like the Orcs at Helms Deep. According to Doug Aamoth the tech blogger at Time Magazine, “It’s bad, friends. The Heartbleed Bug is bad. That little lock icon that you see up in your browser’s address bar when you’re logging into a site or entering your credit card number? Turns out it’s not all that great at protecting your private information after all.”

On the Heartbleed Bug website the news is not any more comforting, “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.” Reading on the news gets worse, “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

So everyone stop what you are doing and go change all of your passwords . . . now . . right now. That is the message that the Yahoo blogging platform Tumblr is urging all of its users in an unprecedented post on its site, “This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.”

Of course there has been some response to this outbreak and so rather than hiding under the covers all day, you can now test whether a site has been infected by the bug through a test found here.

How this will effect the corporate Identity and Access Management solutions community is a bit too early to say. But the exercise speaks even more strongly toward the need to have additional levels of control over enterprise users, particularly those who are now bringing their own devices to work and accessing potentially infected websites from within the walls of your corporate network infrastructure.