Most of you have probably heard about the Heartbleed security flaw that has been making big news the last few days. Jason Steuernagel, the Principal of Momentum Technology Group, spent some time reviewing the security flaw and provided us with this information.
What is Heartbleed?
Heartbleed is a vulnerability with OpenSSL. OpenSSL is used by many major website ironically to secure a channel between your device and the website. The vulnerability allows an attacker to send a specifically crafted attack to the web server and it sends back information that it has in memory. This information is random and sometimes may not yield anything important but has the chance of revealing sensitive/private information if it is in memory at the time of attack.
What does this affect?
OpenSSL is used by a large majority of websites – it is estimated that 66% of the world’s websites are affected.
Is this new?
Unfortunately this vulnerability is not new. It has been around for 2 years, but has just been discovered and announced recently. This means that this vulnerability could have been exploited over the last 2 years. The security flaw also leaves no trace when exploited so site that have been vulnerable to this have no way of checking if they were exploited and what information could have been compromised.
Is There A Fix?
There is a fix for the vulnerability and site admins are scrambling right now to patch this vulnerability, but it will take some time due to the how many sites/systems are affected by this.
How This Affects You
It is possible that you have been affected or exposed to this security vulnerability in the course of your day-to-day interaction on the web. An attacker would have to have been exploiting the vulnerability at the same time as you were interacting with a site, so there is a timing component to it that decreases probability some, but still leaves the possibility open. I’m doing a review/inventory of all client networks, but OpenSSL is not something that any of you would typically be running directly on your network.
What Action To Take Now
It is actually not a good idea to start changes passwords yet. Due to the fact that there are still a large amount of affected systems, your changed password could get instantly compromised. It is a good idea to limit / curtail your interaction with SSL sites on the web that could be affected.
Other Heartbleed Resources
Here is another good write up regarding the vulnerability and how to protect yourself: http://ti.me/P5Y5Ix
Running List of Sites Affected: http://bit.ly/P5YBpP
Written by Jason Steuernagel
Jason is the Principal of Momentum Technology Group and works in IT consulting, IT infrastructure design and management, cloud computing, virtualization, and disaster recovery planning and implementation. Click here to see Jason’s profile on LinkedIn.