A matter of the heart

Posted On 23 Mar 2014
Comment: Off

The Heartbleed Bug, a serious vulnerability in the popular OpenSSL cryptographic software library, has been worrying many cloud enterprises in the past couple of weeks. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The bug was named Heartbleed because is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. Major players, such as Dropbox and LastPass (a web interface that can hold all the passwords used in a computer) have reassured their cloud service users that their information is safe. However people should be mindful given that the Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. The extent of the damage caused by the breakdown is unknown. The security hole exists on a vast number of the Internet’s Web servers and has gone undetected for more than two years. In the USA, people who have accounts on the enrolment website for President Barack Obama’s signature health care law are being told to change their passwords following an administration-wide review of the government’s vulnerability to the confounding HeartbleedInternet security flaw. Gerry Lawrence, Operations Director at Adapt, a managed infrastructure services provider, believes companies are being given mixed messages about the best ways to secure their infrastructure, he says,” With an estimated 400 enterprise cloud apps vulnerable to Heartbleed, many organisations have been left in limbo. The Heartbleed bug is hard to detect and there is mixed messaging about what companies should do to secure their infrastructure and data. ” The first step to take is to assess what are the risks surrounding your business. Internet-facing applications are typically the most at risk. If an organisation suspects it is at all vulnerable, it should work quickly to patch or disable affected services. Then regenerate the private key and obtain a new SSL certificate. Once that is installed, revoke the old SSL certificate. To mitigate risk and to keep operations running smoothly, it is advised to work closely with a service provider or the Operating System vendor during this process. Also, companies should be discussing next steps with their service providers to ensure their data is protected and that all services remain safe. If the site has been vulnerable, then it is practical to advise end users to change their passwords once the site has been patched and it has the new certificate installed.” The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66 per cent according to Netcraft’s April 2014 Web Server Survey. Furthermore, OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and a wide variety of client side software. The official reference number to this bug is CVE-2014-0160 (Common Vulnerabilities and Exposures), which is part of the Standard for Information Security Vulnerability Names maintained by MITRE.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.