What should cities do about the Heartbleed bug?

Wed, 2014-04-16 06:00 -- Doug Cooley

Cities and other public sector agencies are grappling with what to do about the Heartbleed bug. 

Heartbleed generated considerable hoopla and headlines in the past week. The bug compromises the online encryption software OpenSLL, which is installed on many business and government file servers to secure data sent between users and the servers. Experts believe that OpenSSL is used for securing up to 70% of online communications.

A new version of OpenSLL is available that corrects the vulnerability and organizations have begun to install it. In the meantime, a  Govtech.com piece points to two test sites where you can enter a website name to determine if it is affected by Heartbleed. One is the SSL Server Test provided by Qualys SSL Labs. Another is an Italian site called Heartbleed test.

In a Govtech.com interview, Jerry Irvine of Prescient Solutions advises cities to undertake site testing on two fronts. The first is for public sector employees to test vendor and partner web sites they log into from their workplace. If those websites fail the test, they should avoid them until they’re patched. After it’s determined that the servers are patched, employees should log into the sites and change their usernames and passwords.

Irvine’s second recommendation is that city IT departments check their own servers for an OpenSLL vulnerability and make sure the latest version of the encryption software is installed. Some government agencies have taken their citizen-facing sites offline until the software patch is installed and tested.

The ability to ensure secure data transmissions undergirds much of the smart city movement, including smart payments and online interactions with citizens. The Smart City Readiness Guide looks at the necessity of online security across various city responsibilities. The Readiness Guide is available for free with your one-time SCC registration.