|
The Heartbleed bug puts certain, commonly used protocols at risk for serious data loss. Hoteliers must take action to initiate the relatively simple fixes, sources said.
The Heartbleed virus poses a serious threat to hotel company technology infrastructures, sources said. For those at risk, immediate action is required. Below is what hoteliers need to know. What is Heartbleed? “It’s a virus,” said Nick Price, CIO of CitizenM Hotels. “What we have here is a vulnerability in a low-level, commonly used protocol to establish secure communication between two end points,” such as a client and a Web server, or a server to another server. That communication is called OpenSSL, he said. It’s perhaps most commonly represented by a padlock icon shown when certain browser connections move to an elevated, secure state using an https URL, such as on banking websites. The at-risk OpenSSL library is widely used to secure everything from websites to email and chat services to VPN connections to network appliances such as routers, Price said. “The bug allows a client’s piece of software and something connected to one of these severs to read memory in the server completely untraceable,” he said. “The connection to the secured connection is indistinguishable form a valid connection. … What that basically means is a piece of software can be written to connect to one of these infected servers and a client can read memory.” At risk are passwords and other personal information, Price said. “The potential for data loss here is quite significant,” he said. Who created Heartbleed? For the potential calamity it represents, the virus’s origins are innocent enough, Price said. “It’s a simple, completely innocent coding error by one or members of a small group who are responsible in the open-source community for writing the OpenSSL protocol,” he said. Unlike closed-source software controlled by more traditional technology heavyweights like Microsoft, open-source software is developed in a public, collaborative manner, with various programmers contributing to and testing source code. Similar bugs and errors happen all the time, Price said, but they’re normally found earlier and aren’t as catastrophic. The Heartbleed virus has existed for approximately two years before being discovered two weeks ago. How big of a threat is it to the hotel industry? “Yes it is serious, but it is serious because it has significant potential for problems rather than because it has caused problems. The fact that nobody knew about it until a week ago probably means that nobody anywhere knew about it,” including hackers or cyber criminals, Price said. “However, because of the ease with which you can exploit this issue and because of the widespread deployment of the affected Web products—it’s a significant double-digit percentage of the Web that uses these infected libraries—the potential for exploit in the future is extreme. “And because it is extreme, you should do something about it.” How do you know if your software is at risk? The infected OpenSSL library comprises OpenSSL 1.0.1 and its versions A through G, Price said. “All of those contain the coding bug.” Knowing which versions are infected makes them easy to weed out for tech-savvy hoteliers or companies with chief information officers. For those less versed in their IT acumen, it’s best to go straight to the source, said Deb Lambert, e-business director for Vantage Hospitality Group. “Our gut reaction is, let’s check with our technology vendors to make sure we’re fine. If they can validate that ‘yes, your secure certificates are of this caliber and there are no breaches,’ then we go through our next level of providers like our email providers,” she said. Price suggested the same. “First of all they have somebody who is responsible for their systems, because these systems don’t get implemented out of thin air. That somebody, whether it be a hosting company for a website or the guy down the road that knows something about PCs that comes in every night to help you out, if you’re an owner of a hotel, you have to ask that guy,” he said. Such analysis should be conducted by hotel companies big and small, sources agreed. Most of the major brands have announced their efforts to do just that. Marriott International, for example, issued the following statement: “We are aware of the Heartbleed bug, and consistent with our long-standing commitment to protecting guest information, we are conducting a comprehensive assessment of our customer facing systems, including Marriott.com and our Marriott Rewards systems. We have found nothing to indicate that these systems have been compromised by the Heartbleed bug, and we will continue to vigilantly monitor these systems in our ongoing efforts to protect guest information.” For hoteliers without the backing of a major chain, various vendors are offering free scans to determine server integrity. Lambert recommended McAfee’s True Intelligence Feed (Beta). Hoteliers simply would enter the full secure domain name they want to test (e.g. https://www.hotelnewsnow.com), and the service reports whether a vulnerability has been detected. How can you protect your company and your guests? Just because software could be infected does not mean it’s been compromised, Price clarified. “But it does imply that you could be. Therefore it makes sense to take the relatively simple and effective step to sort it out now.” Stopping the bleeding is as simple as updating the infected OpenSSL, sources said. For third-party solutions, that falls to the responsibility of vendors. For in-house systems, hoteliers must lead the charge. The important thing is that someone takes action and hoteliers verify the necessary updates have taken place. “Ignorance is not an excuse here. The only way you’re going to solve this problem and close down a very nasty potential issue is by being very well-informed about the infrastructure you’re depending on … and taking appropriate actions to make sure that those various pieces of software that you have in that infrastructure is properly patched and properly updated,” Price said. |
