Internet Wide Security Issues: HeartBleed

Transaction Security

Transaction Security

Doing Any Business/Transactions Online

You may have noticed your internet connection is slow today, or you’re having problems sending eMail this week. You’re not the only one. That’s because there’s a bug in a piece of software that is widely used by many companies across the board for internet connectivity. It’s called OpenSSL.

It’s important to understand how THIS AFFECTS YOU as a casual user of the internet and why it’s so serious.

OpenSSL manages security behind the scenes for your secured connections while you’re surfing on the internet and doing your day to day business or personal activities. That’s social media, logging into your own blog, even your email servers probably run on OpenSSL.

It most probably also affects your Bank Account, and potentially any secured transaction you use online, from paying a bill, looking at your checking account balance, or buying that perfect Teapot on eBay. Even paying for an app on your phone could be impacted. It’s that wide spread.

And don’t get a false sense of security thinking you can go from your PC to do what you need to do on your phone. It probably impacts everything you do there too. You can’t get around this, unfortunately.

Have you been told that you should NEVER send passwords or personal information through a web page unless you see the “HTTPS” in the address bar (ie: https://mybank.com/login)? That is controlled by SSL security and OpenSSL is the most popular company to offer secured socket connectivity. So this does affect you even though you don’t see it happening.

The bug, dubbed ‘HeartBleed’ is based on a fault in functionality contained within OpenSSL. It was originally discovered by Neel Mehta from Google. In general: The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.

When the bug is exploited the attacker can retrieve memory (up to 64kb) from the remote system. This memory may contain usernames, passwords, keys or other useful information that enables bigger attacks. An attacker may for example be able to retrieve the keys and secrets used to encrypt traffic and then intercept and read the communications of all other users of that service. There are all kinds of variations that might be possible based on the ability to read this memory. 64kb may not seem like a great deal of data, but of course the attacker can connect repeatedly and progressively collect more information.

What should you do to protect your services?
First of all, if you’re a user who is doing business online, or hosting your own website on someone else’s server, there’s not much you can do but be cautious. Your host providers for your website and email, the System Administrators, are the ones who have work to do.

  1. Check whether your website, apps or any products use OpenSSL and whether they are vulnerable to the attack. There is a neat site at http://filippo.io/Heartbleed where you can run a check.
  2. Update OpenSSL to the latest version which fixes the defect – this is not an automatic process in many cases. See the SecurityAdvisory_20140407 for more information.
  3. Check the state of the your SSL configuration for your website and mail services. You can use this SSL checker and CheckTLS for mail servers. This bug is the least of your worries if you are using the technology badly in the first place.

Until then, be cautious of your own internet security connections. If you can avoid doing any financial transactions through the entire week, you might want to do so. Better to be inconvenienced for a week or so, than to have your account information stolen along with everything you have stored in your bank accounts.

Check the HeartBleed Update too!

© 1997-2014 Springwolf, D.D., Ph.D., Springwolf's Kosmos. All Rights Reserved.
© 1997-2014 Springwolf, D.D., Ph.D., Springwolf’s Kosmos. All Rights Reserved.

 

Leave a Reply