The Heartbleed Bug: What you Need to Know Now

| | by

‘A serious bug in software used by millions of web servers could have exposed anyone visiting sites they hosted to spying and eavesdropping.’

I know what I asked our team when I read this BBC headline: Are we vulnerable to the Heartbleed bug, and do we ship this with our software?

Thankfully Black Duck is safe, but some reports indicate that millions of websites may have run vulnerable versions of OpenSSL over the past two years, and it’s often housed in software libraries for servers, operating systems, email and instant messaging platforms.  In other words, the stakes are very high: the bug enables hackers to capture names and passwords, steal credit card data, and even eavesdrop on communications. By allowing hackers to steal encryption keys, they can intercept and read encrypted data and, unless organizations change their keys, even future traffic can be exposed.  The magnitude of this vulnerability cannot be overstated.  As the Heartbleed website reports:

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

What Do I Do Now?

The first step is to install the most up-to-date version of OpenSSL, 1.0.1g.  You can also test your website to see if it’s vulnerable to attack – one such site is http://possible.lv/tools/hb/, and be sure to constantly review the Heartbleed website for updated information.  Service providers should also upgrade the security strength of their keys, and it’s a good idea for personal users to change their passwords to email, instant messaging, and other services after the bug is fixed.

[Update: Helpful information can also be found in these ZDNet and Mashable articles addressing the Heartbleed bug.]

How Can I Protect My Organization in the Future?

Once you’ve mitigated damage from Heartbleed, the most important next step is to ensure you’re doing everything you can to prevent and reduce the severity of any future vulnerabilities.  Ensure your organization has an automated code scanning and analysis platform in place so you can quickly determine exactly where code is used, and be sure said platform leverages the National Vulnerability Database (NVD) to identify and send alerts about security vulnerabilities.

Perhaps Louis Pasteur said it best: Fortune favors the prepared mind.

Tags: , , , , , , , ,

No comments yet.

Leave a Reply