by Jeremy Lesniak
On April 7, 2014, security researchers announced the discovery of a substantial Internet vulnerability. Dubbed “Heartbleed,” this vulnerability threatened to affect a large portion of the Internet in a way we had not seen before. I’ve followed the incident closely and have put together a short explanation of the vulnerability and how it affects you.
What is Heartbleed? Heartbleed is the name given to the vulnerability discovered in the OpenSSL protocol. Specifically, this vulnerability was discovered in a portion of OpenSSL referred to as the heartbeat extension, hence the name. The Heartbleed vulnerability allows an attacker to request and receive bits of information from affected websites that may contain usernames, passwords or other data.
What’s SSL? SSL stands for Secure Sockets Layer and is a very common way of encrypting a website. If you’ve ever seen the characters https:// before a website, the “s” is the indication that the website you’re using offers some form of SSL security.
How Widespread is Heartbleed? The two most prominent web servers on the Internet are Apache and nginx, which combine for approximately two-thirds of the market. Both of these web server products are (or were) vulnerable to Heartbleed. These web servers are used for any number of websites, from email, to chat, to more.
Where Did Heartbleed Come From? Heartbleed was independently discovered by at least two people, one from Google and one from a Finnish security firm. The actual code that is vulnerable was written several years ago. In other words, this problem has existed for quite a while, but no one noticed.
How Do I Know if I’m Affected? In short, if you use the Internet, you’re affected. The sheer number of websites that are, or were, vulnerable is staggering. You’ve likely received some communication from websites you use about whether or not your information was vulnerable. Unfortunately, there’s no way to know if the Heartbleed bug was exploited on a particular website, as the exploitation leaves no trace.
What Should I Do Right Now? I’ve long advocated that you periodically change your passwords, and now would be a good time. If you’re already doing that, you might want to check out tools like LastPass (lastpass.com) that have built-in options to examine websites for vulnerabilities.
How Do I Know if a Website is Vulnerable? There are a number of sites out there that will tell you, this one from Symantec/Norton is as good as any: http://safeweb.norton.com/heartbleed
What if my Business is Vulnerable? I’d strongly suggest working with your website provider/consulting firm to get the vulnerability fixed as soon as possible. If your organization uses a VPN (virtual private network) your VPN implementation may be vulnerable. Consult your IT staff or firm to find out.
What Do We Do Moving Forward? Unfortunately, there’s not much we can do differently. There are always going to be vulnerabilities in software code and so long as there’s motivation to exploit those vulnerabilities, people will. Fortunately there are “good guys” looking for the same holes in the Internet in an effort to plug them before too much damage can be done. My recommendations now are the same as they’ve always been—have good security policies, verify things on a schedule, backup and be smart with your data.
If you want to read more about Heartbleed, there are many sites where you can do so. Wikipedia, as always, has some good information, but it’s a bit heavy to read through: http://en.wikipedia.org/wiki/Heartbleed. The websitehttp://heartbleed.com/ is far easier to read. Symantec/Norton has ongoing communication about Heartbleed and many will find their response at http://www.symantec.com/outbreak/?id=heartbleed worth reading.
by Jeremy Lesniak