Home News A matter of the heart

A matter of the heart

by Brian Sims

The Heartbleed Bug, a serious vulnerability in the popular OpenSSL cryptographic software library, has been worrying many cloud enterprises in the past couple of weeks. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The bug was named Heartbleed because is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. Major players, such as Dropbox and LastPass (a web interface that can hold all the passwords used in a computer) have reassured their cloud service users that their information is safe. However people should be mindful given that the Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. The extent of the damage caused by the breakdown is unknown. The security hole exists on a vast number of the Internet’s Web servers and has gone undetected for more than two years. In the USA, people who have accounts on the enrolment website for President Barack Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding HeartbleedInternet security flaw. Gerry Lawrence, Operations Director at Adapt, a managed infrastructure services provider, believes companies are being given mixed messages about the best ways to secure their infrastructure, he says,” With an estimated 400 enterprise cloud apps vulnerable to Heartbleed, many organisations have been left in limbo. The Heartbleed bug is hard to detect and there is mixed messaging about what companies should do to secure their infrastructure and data. ” The first step to take is to assess what are the risks surrounding your business. Internet-facing applications are typically the most at risk. If an organisation suspects it is at all vulnerable, it should work quickly to patch or disable affected services. Then regenerate the private key and obtain a new SSL certificate. Once that is installed, revoke the old SSL certificate. To mitigate risk and to keep operations running smoothly, it is advised to work closely with a service provider or the Operating System vendor during this process. Also, companies should be discussing next steps with their service providers to ensure their data is protected and that all services remain safe. If the site has been vulnerable, then it is practical to advise end users to change their passwords once the site has been patched and it has the new certificate installed.” The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66 per cent according to Netcraft’s April 2014 Web Server Survey. Furthermore, OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and a wide variety of client side software. The official reference number to this bug is CVE-2014-0160 (Common Vulnerabilities and Exposures), which is part of the Standard for Information Security Vulnerability Names maintained by MITRE.

You may also like