Menu
Miss America 2015 is Miss New York Kira Kazantsev

Miss America 2015 is Miss New York Kira Kazantsev

Xbox 360 Holiday Bundles Revealed

Xbox 360 Holiday Bundles Revealed

Iggy Azalea Sex Tape Controversy Heats Up

Iggy Azalea Sex Tape Controversy Heats Up

Batman v Superman Director Reveals Movie Scene

Batman v Superman Director Reveals Movie Scene

Paris Hilton just bought the Cutest and Smallest Dog

Paris Hilton just bought the Cutest and Smallest Dog

Heartbeat Heartbleed Bug Breaks Internet Security Again

Apr 8 2014, 1:56pm CDT | by

Heartbeat Heartbleed Bug Breaks Worldwide Internet Security Again (And Yahoo)
Photo Credit: Forbes
 
 

YouTube Videos Comments

Full Story

Heartbeat Heartbleed Bug Breaks Internet Security Again

Most of the time most people are blissfully unaware it is even happening. Whether you are a consumer accessing your Internet bank site, using a mobile application to log in and share data or trading online most of our use of modern technology involves this key capability and without it trust on the Internet is significant undermined. A new bug, again, puts trust on the Internet at risk on a significant scale. The bug, dubbed ‘heartbleed’ is based on a fault in functionality in the widely used OpenSSL library. It was originally discovered by Neel Mehta of Google Security. This library is extremely widely used from security vendors products to secure web browsing (when you log in to a site and see https://) and even mobile banking applications.  The Apache web server which powers a substantial part of the Internet tends towards using OpenSSL. You may be using it at your business right now and many popular services like Yahoo have been shown to be vulnerable (see the image below).

So what exactly does this bug do and why should you care? There are numerous technical write ups (with excellent detail, one of my favourites being this one) but for the rest of the Internet community the problem is as follows. When the bug is exploited the attacker can retrieve memory (up to 64kb) from the remote system. This memory may contain usernames, passwords, keys or other useful information that enables bigger attacks. An attacker may for example be able to retrieve the keys and secrets used to encrypt traffic and then intercept and read the communications of all other users of that service. There are all kinds of variations that might be possible based on the ability to read this memory. 64kb may not seem like a great deal of data, but of course the attacker can connect repeatedly and progressively collect more information. This is a serious problem indeed. If you want to mitigate the issue on your systems skip to the end of the article.

There has already been a flurry of reporting and panic over the issue (see #heartbleed). The defect has been in the code for over 2 years and many are surprised that the bug has only just been found now, particularly as the OpenSSL code is open source and has been reviewed by quite a substantial number of people. This speaks to the challenge of writing secure software and bug hunting, but also perhaps highlights that there should be more systematic review of software which is so critical to all of our security and trust online.

This is certainly not the first defect of this sort in recent times that has undermined the fundamental trust system of the Internet and it is very unlikely to be the last. Unfortunately when these faults are found people do not typically react quickly and apply the fixes leaving substantial opportunities for attackers. null There have been a large string of problems with SSL (which provides the secure connection you use to connect to your bank or other services, often indicated with ‘https://’) ranging from software defects to policy and security issues with the certificate authorities (of which there are a very large number). There have been instances of attackers getting their hands on certificates that let them pose as Facebook, Facebook or even banks.  null. That said whilst this particular attack is a flaw in the technology in many cases it is businesses tardiness with patching or failure to make the right configuration choices that is the larger issue.

What should you do to protect your services?

  1. Check whether your website, apps or any products use OpenSSL and whether they are vulnerable to the attack. There is a neat site at http://filippo.io/Heartbleed/ where you can quickly run the check.
  2. Update OpenSSL to the latest version which fixes the defect – this is not an automatic process in many cases. See the advisory here.
  3. Check the state of the your SSL configuration for your website and mail services. You can use this SSL checker and CheckTLS for mail servers. This bug is the least of your worries if you are using the technology badly in the first place.
  4. Take a look at the more technical Q&A at http://heartbleed.com/ if you have further questions about the bug or how to remediate it.

If you have any questions please feel free to leave a comment or find me on Twitter at @jameslyne

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Elisabetta Canalis ties the knot with Brian Perri
Elisabetta Canalis ties the knot with Brian Perri
George Clooney’s ex, Elisabetta Canalis tied the knot with Brian Perri in Italy recently.
 
 
Steve Spurrier Now 2nd All-time in SEC Coaching Victories
Steve Spurrier Now 2nd All-time in SEC Coaching Victories
South Carolina Gamecocks head football coach Steve Spurrier won his 201st game -- second-most all-time tied with Vince Dooley and one spot behind Paul "Bear" Bryant -- on Sept. 13 after his team beat the Georgia Bulldogs, 38-25.
 
 
Ariana Grande No Longer Does Ponytail
Ariana Grande No Longer Does Ponytail
The super talented Ariana Grande has dumped her iconic ponytail hairstyle.
 
 
Apple Watch has come out on Top of the Rest
Apple Watch has come out on Top of the Rest
The all-new Apple Watch has come out on top of the rest.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.