In the worst of cases, this online security defect suggests that online retailers, who have been doing everything right and needed to safeguard customer information, may have been exposing sensitive information to any hacker.
What’s the Heartbleed Bug?
The Heartbleed bug is a coding defect in versions 1.0.1 via 1.0.1f of OpenSSL, which can be an open-source, commercial-grade development toolkit and library used to execute the secure socket layer (SSL) and transport layer security (TLS) protocols.
Heartbeat is an extension to the TLS protocol which enables a server and a client (a web browser for example ) to keep an open relationship when no data has been moved back and forth. Without getting too technical, the Heartbeat extension functions by having one party — the web browser for instance — send a random message with a payload (content) of a certain number of bytes. Another party — the web server in this case — is supposed to answer with a mirrored message of the identical number of bytes. Sadly, the line of code that’s supposed to confirm the message payloads matched was only missing in the above versions of OpenSSL. Basically, any properly formed message might find a response from the server. Thus, information is bleeding, if you will, from the pulse, providing us the Heartbleed bug.
“The issue is rather simple,” wrote Matthew Green, a cryptographer and study at Johns Hopkins University in his excellent description of this Heartbleed bug. “There’s a very small vulnerability — a straightforward missing bounds check — in the code which manages TLS’heartbeat’ messages. By abusing this mechanism, an attacker may ask that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. As this is the same memory space in which OpenSSL additionally stores the server’s private key material, an attacker can possibly access (a) long-term host private keys, (b) TLS session keys, (c) confidential information such as passwords, (d) session ticket keys”
“Any of the above may permit an attacker to decrypt continuing TLS sessions or steal useful information” composed Green. “However item (a) above is undoubtedly the worst, as an attacker who obtains the server’s main private keys could possibly decrypt past sessions (if made using the [non-perfect forward secrecy RSA] handshake) or impersonate the server moving forward. Worst of all, the exploit leaves no trace.”
Since the Heartbleed bug could be used to both intercept encrypted communication and ask”a relatively large piece” of server memory, it’s truly worse than if a server hadn’t been using encryption.
In the end, variations of OpenSSL with the missing code have existed since 2011.
Why Online Retailers Should Be Worried about Heartbleed
The Heartbleed bug means that merchants that stuck perfectly to the Payment Card Industry Digital Security Standard (PCI DSS) and required every sensible precaution to safeguard client’s private information or payment card numbers may nevertheless have been exposed. Some exclusively brick-and-mortar retailers might have been vulnerable.
The bottom line is that customer’s personal information and payment card numbers are in danger and every merchant should attempt to protect customers.
How Merchants Can Protect Customer Data from Heartbleed
Retailers, especially online vendors, need to have some of measures to protect customers from the Heartbleed bug.
First, make sure that if your web server has been running among the vulnerable versions of OpenSSL, that it’s upgraded, patched, or recompiled with no heartbeat extension immediately. This will get rid of the safety threat moving forward.
Unfortunately, since there’s actually no way to know whether a specific web server was compromised, meaning that some hacker or hackers currently possess the web server’s private keys, retailers will have to revoke and replace SSL certificates as soon as they’re sure the server is running a secure version of OpenSSL.
In the end, it can be a great idea to reset user passwords, because if a server was already compromised the poor guys and gals could have users’ passwords that are current.
How to Protect Your Company from Heartbleed Hackers
Given the extent and risk related to the Heartbleed bug, it’s an excellent idea to change passwords for many, if not all, important company accounts. This is particularly true for banking passwords.
Heartbleed-related Articles and Resources
- The Heartbleed Bug website from Codenomicon.
- Mathew Ingram’s article,”Here is everything you will need to know about the Heartbleed net security flaw,” on Gigaom.
- Matthew Green’s “Attack of the Week: OpenSSL Heartbleed.”
- Jack Phillip’s”Heartbleed Bug Imperials Web Encryption; Passwords, Credit Card Numbers at Risk,” at Epoch Times.
- James Lyne’s “Heartbeat Heartbleed Breaks Worldwide Internet Security Again” from Forbes.
- John Biggs’ post,”Heartbleed, the First Security Bug using a Cool Logo,” on TechCrunch.
- Sean Gallagher’s post,”Heartbleed vulnerability might have been exploited months before patch,” from Ars Technica.
- Danny Yadron’s Wall Street Journal article, “Massive OpenSSL Bug ‘Heartbleed’ Threatens Sensitive Data.”
- Paul Ducklin’s post,”Heartbleed — heartache if you truly change your passwords straight away? ” on the Naked Security blog.
- OpenSSL’s security advisory.