San Diego Business Journal

The Heartbleed bug has San Diego businesses hopping.

The computer security vulnerability, which gained wide public attention this month, has driven businesses to change their passwords, patch software and seek advice from technical gurus about whether their information might end up in hackers’ hands.

Among the people answering questions was Jim Matteo, CEO of computer consultant Bird Rock Systems in Mira Mesa, who said he saw an uptick in calls — and business.

One of the difficult things about the vulnerability is that it leaves no footprints, Matteo said.

The bug means more work, and not all of it is compensated, said Andrew Hartman, who offers information technology help for small businesses as the owner of Syndeo Communications in Oceanside. He described having to take down clients’ computer systems at night to upgrade firmware on firewalls.

“We don’t know the full depth and breadth” of the issue yet, Hartman said.

“This is one of the largest security and privacy problems that I’ve seen with cloud technology,” wrote Eric Rockwell, president of Kearny Mesa-based CentrexIT, a small information technology management firm.

IT Vendors ‘Pulling Together’

The nickname Heartbleed is a variation of the word heartbeat, a term referring to one server sending a small amount of information to another server — the computer equivalent of saying “I’m here.”

A hacker can approach a server that contains the Heartbleed vulnerability and make it “spit back information” that other people have fed it — including user names, passwords and credit card data — said Neil Palmer, who runs the computer infrastructure at Miro Technologies and Tapestry Solutions, a unit of the Boeing Co. (NYSE: BA).

Palmer said he got wind of “a fairly nasty bug out there” from someone on his team April 3. Shortly after that tip, he started getting warnings from vendors that they may have the bug. Company systems were patched within 24 hours, Palmer said.

“Everybody seems to be pulling together” in the situation, Palmer said, adding that he has not seen such cooperation among vendors before.

The Hearthbleed bug is technically known by the less-lurid name OpenSSL private key disclosure vulnerability. It’s part of some code that debuted in April 2012. Rockwell said he has advised customers about the problem since 2013.

“You don’t always know who’s accountable for protecting your data, or what they’re really doing to protect it,” Rockwell wrote in his comments on cloud computing. “Because we already knew about the OpenSSL vulnerability, we have never used any OpenSSL encryption technology in any of our clients’ production environments.”

Tax Data Reported to Be Safe

Intuit Inc., whose TurboTax software business is based in San Diego, issued statements to relieve customer jitters as the April 15 deadline for filing tax returns approached.

“TurboTax engineers have verified TurboTax is not affected by Heartbleed,” said the business’s April 11 statement. “You can be confident that TurboTax websites are secure and your personal and financial information is safe.”

The business declined to be interviewed. In mid-January, Intuit had 1,200 employees in San Diego, the company said.

The Internal Revenue Service told taxpayers to keep filing their taxes this month, but the Canadian tax agency shut down its servers April 8 — and later said it lost taxpayer data over six hours.

Websense Inc., the San Diego company that offers computer security products, said its online ACE Insight product — at aceinsight.com — can help people identify websites that might be at risk.