Apr 16, 2014

The much talked security threat these days that is faced by the OpenSSL cryptographic software library is Heartbleed bug which can affect 2/3rd of the world’s server. This bug allows anyone on the internet to read the memory of the system which have been protected by the vulnerable versions of the OpenSSL software.

An OSI (Open Systems Interconnection) Model consists of 7 layers that characterize and standardize the internal functions of a communication system by partitioning it into abstraction layers. The model is a product of the OSI project at the International Organization for Standardization (ISO). The TLS (Transport Layer Security) and SSL (Security Socket Layer) provides communication security over the internet. This major flaw on the OpenSSL actually boosts the cybercriminal acts as the system is not secure anymore i.e. our sensitive data like usernames, passwords, credit card numbers and more are at risk.

This security threat is such that hackers can eavesdrop on communications, steal data directly from the services and users, and impersonate services and users without even leaving a trace of suspicion. Heartbleed.com is a website designed to answer questions about the vulnerability that arises due to this bug and the ways of overcoming this vulnerability.

As mentioned earlier, this bug leaves no traces of anything abnormal happening to the logs thereby making it difficult to detect whether some kind of abnormal activities were performed. This is a major risk as your sensitive data is completely open to hackers and cybercriminals and there is nothing you can do about it.

Although Heartbleed is the result of a small coding error but it could have repercussions across-the-globe and affect a majority of the Internet users. What makes the bug particularly so challenging is that there is no simple fix to it. Action needs to be taken by both the compromised sites and individuals who have visited them. To protect the user data and encryption keys, sites must upgrade to the repaired version of the new OpenSSL, which call off compromised SSL certificates and get new ones which are issued. Till date, Apple iOS, Blackberry OS, IBM and Microsoft etc. have been unaffected by the Heartbleed bug. But still, it is important to understand, what you can do and how you can stop it, so that you don’t get affected by this bug!

What you can do about it?

If you are an internet user, there is nothing you can do about it. However, you can always keep yourself updated about the websites which have been affected by this bug. A tool developed by Filippo Valsorda checks whether a website is vulnerable to this bug. Try the Tool here. Another precaution that can be exercised is to frequently change the passwords for the sites you use regularly, irrespective of the nature of the site- email, Facebook, Twitter, or any other online sites where login details and passwords are required for access. A network administrator or website manager on the other hand should definitely apply the patch version on the OpenSSL to remove any vulnerability from the site and network. SSL security certificates should also be recirculated and users should be encouraged to create new passwords.

How to stop it?

The fixed or patched version is been released by Heartbleed.com. (Quote) “As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use” (Unquote). Therefore a network administrator needs to take immediate action to fix the issue ASAP. All the major websites like Google, Facebook, Yahoo, and Amazon have upgraded their sites and have applied the patched or fixed OpenSSL but there are some small websites too that need to be fixed.


Post a Comment

Thanks For Comment Please Share this Post to G+!