17 Canon Harnett Court, Warren Park
Stratford Road, Milton Keynes, MK12 5NF

YCW_LOGO_WHITE_300px

17 Canon Harnett Court, Warren Park, Stratford Road, Milton Keynes, MK12 5NF

Heartbleed Bug Q & A

Your Cloud Works

IT Security & Support Specialist for Small and Medium Businesses

WordpressHeaderLogo

What is it?

It’s a bug in the OpenSSL method a server uses to secure communications back and forth between the server and client (device). OpenSSL is present when you see the little padlock in your browser and the URL begins with HTTPS. The affected versions are 1.0.1 through to 1.0.1f.

What does it do?

The heart beat feature in the vulnerable versions of OpenSSL can be used maliciously to read the servers live memory. An attacker can try to extract valuable information, such as username and passwords, or worse, the private key used in public/private keypair crypto from the data they collect. It is an especially critical security breach as the heartbeat channel is not usually monitored, therefore an attack would leave no trace.

Is it bad?

In a nutshell, yes it is a threat to personal and sensitive information. Private data was successfully retrieved by exploiting the Heartbleed bug in a controlled environment using servers owned by the testers. There has also been reported cases of certain bloggers running POC code against servers they did not own, as known as hacking, who were also able to retrieve some important information.

How can it be fixed?

It is in the hands of the system admins of the affected servers. If a server is using a vulnerable version of OpenSSL, it needs to be upgraded to OpenSSL version 1.0.1g. Alternatively recompile it with the -DOPENSSL_NO_HEARTBEATS switch to disable the heart beat feature. They should get all new certificates, and to be extra safe perform a password sweep, and recommend their users perform one as well.

Why did we not know sooner?

OpenSSL is a free service and maintained by a small team of volunteers, who, of course, do not get paid for their time. Due to the service being free it used by the majority of organisations.

What should I do?

Use a HeartBleed Checker, such as LastPass.

If you use the Chrome browser try the Chrome heartbleed extention.

Change your important passwords!

If you want to find out more, there is an official page covering the bug that goes in greater details.

Mashable also has a hit list of services affected, if you actively use one of these, you should look into changing your passwords.

 

Share this Post:

Share on facebook
Share on twitter
Share on linkedin