“These data leaks just give me creeps
Those criminals are getting the peeks
Because now they have the keys
Oh OpenSSL, you make my heartbleed… you make my Passwords leak!! “
(If you want to expand this poem, use the comments section)
The recently unearthed ‘HeartBleed’ virus quite figuratively makes my heart bleed. The bug in OpenSSL exposes sensitive information including private key, username and passwords to the applications that are on OpenSSL server – that exposure equals two-thirds of the online population. OpenSSL is an open source “secure socket layer” encryption used to secure traffic on the Internet.
The ‘HTTPS’ and the ‘padlock symbol’ in the web browser address bar is what alerts you that the website is on OpenSSL (ironically, the secure layer).
What really happened?
When released two years ago (March 14, 2012), OpenSSL version 1.0.1 had a mundane bug in its programming code which went unnoticed until last Sunday (April 6). On that day, security researchers from Codenomicon and Google found out and published the bug on heartbleed.com. The programming error goes on from version 1.0.1 through 1.0.1 f, 1.0.1 g (released on 7th April, 2014) is a fix.
The flaw in the coding exposes a chunk of 64k memory on the server (large enough to expose private keys of the traffic on any website including passwords and username). To read more about it, check out the instigators of the vulnerability who named it “Heartbleed”(since the bug is in the Heartbeat extension – RFC6520 of OpenSSL) .
Who does it affect?
If you’re wondering whether Heartbleed will impact you, the simple answer is yes. Even those not on the OpenSSL server will likely be affected, at least indirectly. Major web sites including Amazon and Yahoo were affected. While they’ve repaired their servers now, you should still change your passwords for those sites. Here are some quick tips to set a strong password.
Here’s a more complete list of web sites affected by the HeartBleed bug.
Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.
The “old-stable” versions of Debian Squeeze and Suse Linux Enterprise Server are not vulnerable.
OpenSSL also underpins two of the most widely used Web servers, Apache and nginx. The code library is also used to protect email servers, chat servers, virtual private networks and other networking appliances.
Note: PerfectCloud customers can relax since we don’t use OpenSSL.
So there is a bug and almost two-thirds of the internet is affected, what can you do about it?
OpenSSL fixed the programming flaw and released the latest version on 7th April, 2014 – 1.0.1 g.
If you’re a Service Provider:
- Protect your client data by preemptively turning off your Sync Service, eliminating any potential security breaches by stopping all communication to your servers.
- Deploy the updated OpenSSL libraries.
- Then renew all your SSL certificates.
- Log out all users to ensure that everyone would create new, secure connections.
If you’re a User:
- Find out which of the services you use were affected and check if the provider has fixed it by deploying the new corrected version of OpenSSL. This is a list of websites affected by the bug. These are the two tools you can use to check the ones not in the list: Qualys SSL labs page, Filippo.
- Change your passwords if the fix is deployed on the service provider server. It won’t make sense changing your password on an affected server.
This issue has exposed a major part of the internet for over two years, and guess who could have been hacking away at all this exposed data? NSA *cough* *cough*
Last piece of advice: Understand that the phrase “Internet Security” is an Oxymoron. Even the most secure services can be breached or hacked depending on the intentions of the hacker. The best way to remain safe is to take all the precautions you can. Here is a security guide to protect your company without spending a fortune.
As for PerfectCloud, we take Security seriously and all our servers and services are regularly updated on security issues. Our encryption technology is an algorithm we created jointly with GANITA labs at the University of Toronto which provides highest level of security because of its unique key management and encryption architecture. Simply put, even if one account on our service is compromised, it will not affect anyone else because our security architecture compartmentalizes the server and eliminates the domino effect.