Resource Articles Back to Article List

Heartbleed Bug Causes Vulnerability

You may have heard reports over the past week about a new computer vulnerability called Heartbleed. This vulnerability affects one of the common software tools used to encrypt communications between computers, OpenSSL.

OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption protocols. Companies may use OpenSSL in many network installations, such as VPN, messaging applications, email servers, web servers, and other systems.

The Heartbleed vulnerability entails an error in the way that OpenSSL handles “heartbeat requests.” These heartbeat requests allow computers to secure communication links between one another by sending specific messages. The affected versions of OpenSSL do not properly handle these messages. An attacker can send a specific message to an affected computer to allow certain contents of system memory to be exposed.

This can allow an attacker to obtain the private encryption key, which would allow that attacker to decrypt communications. Attackers could also potentially obtain login credentials, cookies, and other data that the affected system may have stored in memory. Many experts are considering this vulnerability one of the worst vulnerabilities found due to the wide use of OpenSSL.

Companies should upgrade any vulnerable systems as soon as possible (following appropriate change and patch management procedures), revoke and reissue any affected SSL certificates, and communicate with all applicable service providers and vendors that they rely on to ensure that any affected vendor systems are also upgraded and monitored.

This vulnerability also potentially affects several versions of the Android mobile device operating system, as well as many popular websites. Businesses and their employees should take steps to ensure that all passwords have been changed and that any potentially vulnerable computers and devices have been upgraded and/or patched.

Also, ensure that you are using strong passwords, that they are not written down, and that you change your passwords regularly. Also, consider clearing your web browser’s cache, cookies, and history; monitoring any online services (such as banking, social media, and e-commerce) closely for unusual or inappropriate activity; and enabling two-factor authentication for any websites and online services that support it.