The bug CVE-2014-0160, otherwise known as the Heartbleed Bug, refers to a security bug in the OpenSSL cryptography library. This is the system used to implement the internet’s TLS, or Transport Layer Security, protocol. The Heartbleed Bug was recently uncovered by professionals at both Google and Codenomicon. The bug was officially disclosed in April, and it is estimated that more than 17% of the internet’s web servers were vulnerable to the attack at one point. It is believed that Heartbleed could be one of the worst vulnerabilities ever found on the internet.
What Does Heartbleed Do?
The bug has been categorized as a type of buffer over-read. In layman’s terms, the Heartbleed bug works by allowing anyone on the internet to access the memory of systems protected by infected versions of the OpenSSL software. Vulnerable versions are at considerable risk for having secret keys and passwords compromised, which can eventually lead to stolen or leaked content. Attackers steal information by essentially eavesdropping on communications or directly stealing data from servers. The best way to conceptualize the Heartbleed bug is to think of it as an imposter. The attacker uses the existing security measure to enter the system undetected and can then steal information by pretending to be a specific user. To clarify, it is important to understand that Heartbleed is not a virus that infects a personal computer, but a bug that affects OpenSSL software.
How to Stop the Bleeding
Users cannot stop the bleeding without installing a fix for their operating systems, appliances, and software. It is not a bug that will go away on its own. A number of software applications have popped up in the past few weeks to combat the bug and protect vulnerable versions of the OpenSSL software. These include LastPass, LibreOffice, LogMein, and several Hewlett-Packard server applications.
LastPass is currently one of the best and most effective tools on the internet. If you have an account, the application can scan all of your user accounts and help figure out which passwords need to be reset as a result of being compromised by Heartbleed. While LastPass can be used to scan passwords, it is also very likely that their SSL keys were compromised by the bug. The program advises customers to generate new passwords for critical sites. Critical sites include email accounts, banking sites, and social networks.
The total effects of Heartbleed will not be fully understood until months down the road, but one thing is for sure: they will be severe. First, it is possible many people will lose faith in OpenSSL software. Second, some believe it could end up costing users as much as $500 million.
For more information about how to protect your servers, computers, and software, contact ACIS Computers today. We are proud to offer IT services, hardware, and cabling solutions for small and large businesses alike. We have been in the industry for more than 30 years and have the experience necessary to help your business be protected and successful.