An enormous security flaw has been discovered that threatens the entire Internet. Dubbed Heart Bleed, its panicked internet services providers and sent many system administrators – the people who look after an organisation’s computer networks – into a bit of a frenzy.
The vulnerability is in something called OpenSSL which is enormously popular open-source software that is broadly used to encrypt web communications.
It’s widely thought to affect the majority of servers that drive internet traffic. The vulnerability allows attackers to read the memory of a vulnerable server essentially leaking the memory content of what the server sends and receives from users, hence its name Heart Bleed.
However, only up to 64k of memory can be read but that said, the attack can be repeated indefinitely allowing attackers to keep going back for more information.
A server’s memory includes user details, passwords, everything that is communicated to and from the server and also SSL private keys. If these keys are stolen hackers can eavesdrop on communications, steal data from the service and users and also impersonate services and users.
It’s difficult to overstate the number of websites that could be vulnerable but think in terms of some social networking sites, all manner of company websites, e-commerce operations and even government run websites and you’ll get some sense of the scale.
However, not all web sites or services are affected. For example, we know that Facebook, Twitter, Gmail, Linkedin and Microsoft are not vulnerable to the potential exploit.
It’s not known whether the vulnerability has been exploited by hackers yet. But it could have been. And if so, hackers are certainly not going to put their hands up and admit to it.
Researchers have already demonstrated how successful exploitation can take place by targeting the vulnerability. This site provides some information and it also offers a means for you to check whether you are vulnerable via a ‘heartbleed’ test.
The good news is that another version of OpenSSL has been released which addresses the vulnerability. There is also a sense of urgency that the fix
needs to be applied as soon as possible and we understand that this process is already happening but how soon and how widespread it’s difficult to say.
Ironically, the Heart Bleed exploit also means cyber criminals’ infrastructure and their secrets have also been exposed.