BTerrell Group Blog

Addressing the Heartbleed Bug

Posted by Chris Firra on Mon, Apr 21, 2014

Much has been recently written about the OpenSSL bug known as "Heartbleed", which is a vulnerability in the HTTPS protocol for Apache and nginx web servers. The vulnerability could allow unauthorized users to read unencrypted web traffic, including passwords.  Early stories circulated that as much as 2/3 of the Internet was affected by the bug.  According to the latest articles, it likely had a much smaller impact.  However, the defect was found to have effected some of the largest providers of Internet and cloud-based services, such as Amazon, Google, Akamai, Blackberry, Tumblr and even the Canadian version of the IRS.

Norton and other security providers have now released tools that can determine whether a site is vulnerable to Heartbleed.  Check out: http://safeweb.norton.com/heartbleed

Norton Heartbleed check

Most providers have already taken steps to patch the OpenSSL vulnerability and replace their security certificates.  However, it is now up to users to change their passwords as soon as possible.  Intacct, one of the many services that utilized OpenSSL, took steps to address the issue on the same day as the Heartbleed announcement.  Subsequently, they recommended that their users should immediately change passwords.

To change your password in Intacct:

  1. Go to the Company menu and click My Preferences.

  2. Click the Change Password button.

Additionally, consider using strong passwords.  Here are some guidelines:  http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/

Intacct further recommends that users consider implementing two additional security features that are offered of the core solution.

  1. Set up IP address filtering, which restricts sign in to an accepted list of IP addresses.

  2. Turn on two-step verification otherwise known as two-factor authentication (2FA), which adds a layer of protection when users sign in by sending a text or email message to the user confirm the new machine that they are using to sign in.

IP address filtering is more secure, but significantly less convenient for users that travel. Two-step verification or 2FA is quickly becoming a standard in Internet security and is much stronger than relying on security certificates alone. In Intacct, it can be enabled on a user-by user basis.

  1. Point to Company, then click Users. 

  2. Locate the user, then click Edit. 

  3. On the User Information screen, select Enable two-step verification. 

  4. Click Save. 

  5. In the Verify your identity window, enter your account Password. 

  6. Click Done.

BTerrell also highly recommends 2FA when using cloud-provided services.  For a list of other 2FA web sites, check out http://twofactorauth.org.  More importantly, make certain that you and your users have updated online passwords.  Contact BTerrell Group if you have any questions about choices to keep your Intacct and Sage environments secure.

Tags: Intacct