Every day you use encryption technology to protect your data, your applications and online services . Most of the time most people are blissfully unaware it is even happening. Whether you are a consumer accessing your Internet bank site, using a mobile application to log in and share data or trading online most of our use of modern technology involves this key capability and without it trust on the Internet is significant undermined. A new bug, again, puts trust on the Internet at risk on a significant scale. The bug, dubbed ‘heartbleed’ is based on a fault in functionality in the widely used OpenSSL library. It was originally discovered by Neel Mehta of Google Security. This library is extremely widely used from security vendors products to secure web browsing (when you log in to a site and see https://) and even mobile banking applications. The Apache web server which powers a substantial part of the Internet tends towards using OpenSSL. You may be using it at your business right now and many popular services like Yahoo have been shown to be vulnerable.
So what exactly does this bug do and why should you care? There are numerous technical write ups (with excellent detail, one of my favorites being this one) but for the rest of the Internet community the problem is as follows. When the bug is exploited the attacker can retrieve memory (up to 64kb) from the remote system. This memory may contain usernames, passwords, keys or other useful information that enables bigger attacks. An attacker may for example be able to retrieve the keys and secrets used to encrypt traffic and then intercept and read the communications of all other users of that service. There are all kinds of variations that might be possible based on the ability to read this memory. 64kb may not seem like a great deal of data, but of course the attacker can connect repeatedly and progressively collect more information. This is a serious problem indeed.
What should you do to protect your services?
1) Check whether your website, apps or any products use OpenSSL and whether they are vulnerable to the attack. There is a neat site at https://filippo.io/Heartbleed/ where you can quickly run the check.
2) Update OpenSSL to the latest version which fixes the defect – this is not an automatic process in many cases. You need version 1.0.1g or above.
3) Check the state of the your SSL configuration for your website and mail services. You can use this SSL checker and CheckTLS for mail servers. This bug is the least of your worries if you are using the technology badly in the first place.
4) Take a look at the more technical Q&A at https://heartbleed.com/ if you have further questions about the bug or how to remediate it.
We enjoy helping our customers each and every day.