The internet is increasingly become the place where all the information about us as individuals reside. Our preferences, activities, social connections and even critical data like bank account details, income details and even password details reside online today.
Confidential data residing online makes web security an important concern. Secure Sockets Layer (SSL) protocol and Transport Layer Security (TLS) are used by websites as security standards to transmit information securely between the server and the user via client authentication, data encryption and data integrity checks.
Communication between a user and the server is established by sending a specific signal to the server to check if it is online and this signal is called “heartbeat”. Earlier this year, a google researcher and a Finnish firm (Codenomicon) independently discovered a bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension and called it the “HEARTBLEED” Bug.
HeartBleed exploits a heartbeat request by sending a malicious heartbeat that tricks the server into sending random chunks of information including email addresses, usernames, passwords or any sensitive data thus enabling hackers to access and exploit information throughout the internet. Although HeartBleed is the result of a small coding error, it has affected several major websites like Google, Facebook, Yahoo, Amazon, Pinterest, SoundCloud and hence a majority of internet users. Mobile security has been another casualty and android is among the most affected operating systems due to the HeartBleed Heartbleed bug. Several tools such as Tripwire SecureScan, App check, McAfee’s test tool and Qualys’ ssllabs.com have been made available pronto to test the presence of or effect of HeartBleed on site data.
HeartBleed has far reaching consequences as it has remained undetected for about two years. The solution has been identified, but applying the patch to all the affected platforms could take almost a year and Hackers can continue to exploit the flaw until the bug is completely fixed. According to sources, even after 2 weeks of disclosure, about 300,000 websites were still on the vulnerability scanner.
To protect the user data and encryption keys, sites must upgrade to the patched version of OpenSSL, revoke compromised SSL certificates and get new ones issued. Smaller online stores and services affected by HeartBleed could take time to provide remedial measures. To assure complete protection users are advised to wait until the patch is fixed, apply new, long, unique passwords and change them regularly thereafter.
As HeartBleed could also have been due to an economic crunch, Linux Foundation has announced a multimillion dollar project “Core Infrastructure Initiative” to provide funds to critical elements of the global information infrastructure.
Whatever the reason may have been, the shockwaves that HeartBleed sent out were enough to jolt a large number of enterprises awake to their vulnerability. It is yet another reminder of just how insecure information technology intrinsically is, and how seriously we need our vulnerability management.