The Heartbleed Security Bug: What’s been the effect on Multifamily?
In the first week of April we received word that OpenSSL, the open source implementation of the SSL and TLS protocols, had been compromised. Over the past 2 years, this vicious flaw that raged throughout the internet, allowed hackers to steal encrypted data. If you’re like most people, up until recently, you probably had no idea what this technology even meant. Who cares, right? I just need to check Facebook one more time.
Truthfully, though, the normal web protocol (http) is not very secure. If you’re smart and have the proper software, it’s possible to listen in on what computers are saying back and forth to each other. You could read passwords and usernames and credit card information and the number of times you watched Miley on YouTube. Secure Socket Layer encryption (https) makes it so if you do listen in, you won’t be able to understand a word of it.
Until the Heartbleed security flaw, of course. The name Heartbleed is kind of a clever play on words. When your computer is communicating with a web server using SSL, sometimes it needs to ask the web server if it’s still there. To do this, it sends what is known as a heartbeat packet. It’s this packet of data that hackers could exploit. They could fake this heartbeat, pretend it was coming from you, and gain access to whatever is in the webserver’s memory. In most cases that’s credit card information, passwords, and other important data.
The one thing everyone needs to remember about the Heartbleed problem is this; no one knows if a hacker got your personal information or not. The hack is untraceable. It’s why most are recommending that you change your passwords.
Important note: only change your password if a site has been tested clean for the vulnerability. You can do that here:
I wanted to find out what effect this vulnerability had on our major partners in the Multifamily space. I reached out and got some good responses. Here’s what they had to say:
The Yardi security team is pleased to confirm that Yardi applications hosted within the Yardi Cloud are not vulnerable to the Heartbleed Bug. Our security team actively monitors and evaluates US-CERT, Microsoft and other security bulletins, and it performs quarterly comprehensive security audits of our infrastructure in order to protect our clients from such threats.
The multifamily housing industry, of necessity, relies on SaaS/PaaS providers for their management, marketing, leasing and resident services. It’s critical that those providers rapidly respond to any threats to their operations. Recently, the world became aware of the HeartBleed vulnerability which affected the security of majority of the Internet, including the Property Solutions ecosystem. This situation raises an interesting question: In light of major security threats, what can technology users expect of their technology providers?
Software and platform providers should always act quickly to address all known issues. Property Solution’s full-time security team took immediate action to audit and patch all encrypted systems where OpenSSL was used. We regenerated our private keys and pushed out a new SSL certificate to the servers and content delivery network.
But beyond handling internal patches, technology providers have a responsibility to their clients to help them address security issues. We had our DevOps team create a new tool in our Entrata platform that enables customers to force the reset all user passwords in their company, and we’re actively encouraging our clients to use this tool. While we do not believe we have been the target of an attack using the HeartBleed vulnerability, we are committed to maintaining maximum security around our clients’ data and applications. ~ Ryan Byrd, VP of Engineering
We conducted a thorough review of our website/technologies & were able to determine that our properties/customers weren’t impacted.
Don’t worry. RentLinx uses a different encryption technology than the one that was affected by the Heartbleed bug, and therefore is not affected by Heartbleed.
If you used your RentLinx password only for RentLinx, there is no need to change it. However, if you used the same password for other websites, we recommend that you change your RentLinx password. ~taken from their blog post
Fortunately, Apartments.com was not directly exposed to Heartbleed. On Monday, our security team took the necessary measures to assess our risk by coordinating with our network and system’s teams. We also assessed our third-party partners to determine if they presented a risk, resetting connections and making updates as needed based on partnership recommendation. Additionally, we also educated employees on best practices pertaining to password protection. ~Dick Burke, President of Apartments.com
As we should have suspected, our partners are all over it. When I hear from more of them, I’ll update this post.
Happy renting everyone.
Comic courtesy of xkcd.com