Heartbleed Bug is a major and I do mean seriously “MAJOR” security flaw in widely used OpenSSL cryptographic software library. This bug allows anyone on the Internet to read the memory of the systems that are protected by OpenSSL. This bug was introduced in December 2011 and has been lurking out there since the version 1.0.1 release of OpenSSL on 14th March 2012.
For the technically inclined, there’s plenty more information at www.heartbleed.com
What does that meant to me?
A vast majority of systems online i.e. emails, websites, IMs, banking and pretty much most services online that are protected by OpenSSL are at serious risk. So essentially anything you do online that requires you to login including most apps on your mobile phones are potentially unsafe. By using any of these services you could be putting your details out in the open for anyone to see, steal and use.
Due to the nature of the access one can gain because of this bug, it is very hard if not impossible to detect the breach. If it has happened we wouldn’t really know it.
Should I panic?
Despite the scary sounding prognosis above, the short answer is, No. There are currently 2 kinds of people out there working very hard, day and night; people that are trying to fix this bug and people that are trying to exploit this bug.
- People trying to fix it (good guys) only need to update their systems with OpenSSL 1.0.1g released on 7th April 2014. Trust me it’s far easier said than done but not as slow as it is for the bad guys.
- People trying to exploit it (bad guys) can’t just do so in one go and steal all the information. They can only do this in chunks of 64kb in one attempt. This means they have to keep repeating the attack many thousands of times to make it worthwhile. That takes time. A lot of time!
- Also Attackers are often not interested in the stolen data itself, they seek to try and sell this data. They have to find buyers and that again takes time.
What do I do?
To what extent the damage has already been done we will not know, for quite a while. However, there are a few things you can do at this point in time to mitigate or at least minimise the damage.
- While changing your passwords immediately sounds like the obvious step to take, I would recommend holding off for just a few more days. With most systems still being patched (it’s a painfully long process), changing your password on a vulnerable system will not really help. So give it a few days and then go change every password, pin and login details of every service you use online.
- For now (I know this is not going to be easy) avoid as best as you can using online services especially ones that require credit card details and other banking details.
- And finally, if they haven’t already started, get your IT department, IT support providers and/or system administrators to immediately update your networks and servers with the latest version of OpenSSL 1.0.1g.
For more information and/or help feel free to contact us on heartbleed @ vocatys . com. Also pass this information along to other peeps in your network that could benefit from this.