OpenSSL is a technology widely used throughout the world to encrypt communications over the internet.
Internet based services including most secure websites use this technology to ensure no-one can eavesdrop on any private communications and to enable users to verify the authenticity of the services’ identities. Heartbleed is the name given to a bug in some versions of that software that could allow attackers to extract snippets of these private communications and under certain circumstances impersonate the service provider or comprehensively monitor communications[1].
An attacker would need to connect to a vulnerable server, and then keep requesting information from the server to progressively retrieve extracts of private communications and / or the security certificates and keys on the server.
In Mintel’s case, a small number of our public services were vulnerable to this bug and all were upgraded as soon as possible after we became aware of the issue. We have no reason to believe anyone took advantage of the bug on any of Mintel’s products and upgrades were completed at 08:34 UTC on Wednesday April 9th. In addition we have subsequently re-generated all of our security keys and certificates and revoked the old ones.
Our services are now safe to use and have been since Wednesday April 9th 2014. In addition, for most of our clients we have additional authentication checks that would in most cases prevent unauthorised use of Mintel’s services. Given the nature of our services and of the security architecture we use, essentially the only information that could have been intercepted are people’s login, password and personal profile details.
Whilst we have no reason to believe we would have been targeted by attackers looking to exploit the heartbleed bug, it is technically possible that some of our encrypted sessions could have been compromised. For this reason, we would recommend that users now change their profile passwords on Mintel’s services. Because of the nature of our service and the additional security checks we make, we are not intending to force our users to change their passwords – unless requested to do so by our clients’ IT or Information Security departments.
If you re-use the same password on multiple websites, it’s probably more important to focus on changing it on the more security sensitive sites like online shopping or banking sites.
If you have any questions or would like more information, please contact helpdesk@mintel.com.
Jason Thomson
CIO Mintel Group Ltd.
___________
[1] To comprehensively monitor communications or impersonate a service provider, the attacker would need to have extracted the private keys and security certificate from the vulnerable server using the Heartbleed bug, but also have some kind of access to and control of the network traffic between the end user and the service provider. This is not easy to do unless you control or have physical access to key ISP networks.