What is the Heartbleed Bug?
I know a number of media outlets have given a variety of descriptions, but I have taken this one from the Heartbleed website (www.heartbleed.com):
“The Heartbleed
Bug is a serious vulnerability in the popular OpenSSL cryptographic software
library. This weakness allows stealing the information protected, under normal
conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS
provides communication security and privacy over the Internet for applications
such as web, email, instant messaging (IM) and some virtual private networks
(VPNs).
The
Heartbleed bug allows anyone on the Internet to read the memory of the systems
protected by the vulnerable versions of the OpenSSL software. This compromises
the secret keys used to identify the service providers and to encrypt the
traffic, the names and passwords of the users and the actual content. This
allows attackers to eavesdrop on communications, steal data directly from the
services and users and to impersonate services and users.”
In short,
the software technology that some organisations use to protect connections and
transfer of information has a vulnerability.
This could allow someone to monitor and see the data transfer of
information, even though it is in a secure tunnel.
The
following cartoon may be a light hearted look at the vulnerability, but it has
some very far reaching consequences:
Fixing the Heartbleed vulnerability
The software package in question, OpenSSL, needs to be
patched. That sounds like a
straightforward request, but as a user you will have very little interaction to
do this. This software is often used on
websites to allow it to create secure tunnels, but the reliance is on the
website administrator to put these upgrades in place to remove the
vulnerability. The secure tunnel relies
on the exchange of digital certificates to prove the tunnel should be trusted,
but if these certificates have been compromised, they will need to be revoked
and reissued. Again, this is a task for the website administrator.
Aside from websites, various IT manufacturers use OpenSSL to
secure access to their solutions, whether it’s the administration console,
remote access certificates, etc. The
reliance then is on the manufacturer to upgrade their solution with a patched
version of OpenSSL, compile their solution and test it, before then releasing
it for public consumption. Most of the
bigger manufacturers released statements within hours, and updated versions of
code within days. There are still some
manufacturers who have done neither.
Next steps
If you are a user of a website that uses OpenSSL, ensure they have updated to a version without the vulnerability and as a precaution, change your password.
As an administrator of a website that uses OpenSSL, ensure
the site has been updated to a version without the vulnerability, then revoke
and reissue the certificate. Prompt the
users to change their password, and ensure they receive the reissued
certificate.
As an administrator of an IT solution that uses OpenSSL,
follow the manufacturer’s guidelines, which will be to update or patch the
software to the latest version, which will include the fix to the OpenSSL
issue. It may still be necessary to revoke and reissue the certificate, as well
as change any passwords.
Most importantly, check your systems are no longer vulnerable after any changes. There are a number of services that can check, including a complimentary check the organisation I work for is offering. More information around that service can be found here: www.mti.com
No comments:
Post a Comment