Huge SSL flaw puts millions at risk: What you need to know

The OpenSSL library, a cryptographic service for up to two-thirds of the web, has recently patched a serious and far reaching vulnerability that could allow a hacker to snoop on your files completely undetected. 

This alarming flaw is one of the most far-reaching we’ve seen. While official details on the vulnerability are bare-bones, Codenomicon has put together a brilliant FAQ that gets into the details of what they’re calling “The Heartbleed Bug.”

So, what is it?

First off, it’s important to know what this bug entails. According to OpenSSL’s disclosure:

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64KB of memory to a connected client or server

This affects all versions of OpenSSL 1.0.1 through 1.0.1f.

While 64KB is hardly a lot of memory, Codenomicon found that:

  • the flaw can be exploited to reveal secret keys used for usernames, passwords, emails, instant messages, some VPNs, critical business files and more
  • there is no trace left of an attack when this information is taken
  • it can be exploited by anyone with an Internet connection, and
  • the limit of 64KB is only for a single attack – a hacker can keep reconnecting to get various 64KB chunks until enough information is revealed (and because it’s undetectable, it wouldn’t raise any suspicions if they did).

What should IT do?

First and foremost, upgrading to OpenSSL 1.0.1g is a must. The updated version can protect against snooping.

Also, keep your eyes peeled for updates to other key applications and operating systems. With an estimated two-thirds of sites using OpenSSL, many applications will be releasing updated versions soon. You may want to put a staffer on observing these.

Lastly, you may want to try a honeypot to see if anyone is attempting to exploit your network.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy