Blog

Heartbleed Bug - What you need to know

Heartbleed Bug - What you need to know

What you need to know about the “Heartbleed Bug”:

Heartbleed Bug creates a vulnerability which allows an attacker to send a message to a webserver and receive back a portion of memory from your visit on that website. The bit of memory could contain usernames, passwords, encryption keys, etc. If run multiple times, a great deal of sensitive information could be gathered and used for the wrong purpose.

Any website running OpenSSL is at risk. This is the software that creates a secure encrypted session between your computer and a given website server (for example – online shopping or banking). You can simply identify website using SSL by noticing that http:// changes to https:// in the website address. OpenSSL is said to be running on 66% of all Internet servers.

The term heartbleed was coined because the message being sent is a heartbeat or keep alive packet, that allows for a secure connection to stay open and ultimately bleed out any vital information.

Action needed:

  • Whether or not contacted directly to do so, consider changing your password on sites that have been affected by the vulnerability. There are links below to help figure that out.
  • Ignore attempts from phishers or other scam artist to reset passwords or patch systems. Generally, try to avoid clicking any links within the emails you receive. For instance, if website xyz.com contacts you about changing your password and gives you a link to do so, instead of clicking on the link, open a new window and go to xyz.com directly to change your password.
  • If you are website or server administrator, upgrade any old versions of OpenSSL installations in your environment – (https://www.openssl.org/) For example: Servers, Firewalls, VPN concentrators – pretty much anything that uses a secure web connection with OpenSSL.

Useful links:

Here is a list of sites that could be effected: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/?utm_cid=mash-com-fb-main-link

The site dedicated to the entire issue: http://heartbleed.com/

For a technical explanation, watch this video: http://vimeo.com/91425662

The actual MITRE listing is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Here are a few tools to determine if a site has the heartbleed bug:

https://lastpass.com/heartbleed/

http://heartbleed.criticalwatch.com/

https://www.ssllabs.com/ssltest/

For any questions or additional information, contact Brian Schaeffer of FOS or Pavel Kolenda of Herbein + Company, Inc.

Brian Schaeffer: [email protected]

Pavel Kolenda: [email protected]