6a0154366bdf49970c01a5119a62be970c-800wiHeart Bleed bug exploits popular encryption tool – most Internet servers affected – fix is available but needs to be applied swiftly – even cyber criminals are exposed.

An enormous security flaw has been discovered that threatens the entire Internet. Dubbed Heart Bleed, its panicked internet services providers and sent many system administrators – the people who look after an organisation’s computer networks – into a bit of a frenzy.

The vulnerability is in something called OpenSSL which is enormously popular open-source software that is broadly used to encrypt web communications.

It’s widely thought to affect the majority of servers that drive internet traffic.  The vulnerability allows attackers to read the memory of a vulnerable server essentially leaking the memory content of what the server sends and receives from users, hence its name Heart Bleed.

However, only up to 64k of memory can be read but that said, the attack can be repeated indefinitely allowing attackers to keep going back for more information.

A server’s memory includes user details, passwords, everything that is communicated to and from the server and also SSL private keys.  If these keys are stolen hackers can eavesdrop on communications, steal data from the service and users and also impersonate services and users.

It’s difficult to overstate the number of websites that could be vulnerable but think in terms of some social networking sites, all manner of company websites, e-commerce operations and even government run websites and you’ll get some sense of the scale.

 

However, not all web sites or services are affected. For example, we know that Facebook, Twitter, Gmail, Linkedin and Microsoft are not vulnerable to the potential exploit.

It’s not known whether the vulnerability has been exploited by hackers yet. But it could have been. And if so, hackers are certainly not going to put their hands up and admit to it.

Researchers have already demonstrated how successful exploitation can take place by targeting the vulnerability.  This site provides some information and it also offers a means for you to check whether you are vulnerable via a ‘heartbleed’ test.

The good news is that another version of OpenSSL has been released which addresses the vulnerability.  There is also a sense of urgency that the fix

needs to be applied as soon as possible and we understand that this process is already happening but how soon and how widespread it’s difficult to say.

Ironically, the Heart Bleed exploit also means cyber criminals’ infrastructure and their secrets have also been exposed.

avatarWritten by Steve Bell (75 Posts)

Steve has a background in IT and business journalism and in the past has written extensively for both the UK national and trade press including The Guardian, Independent-on-Sunday, The Times, The Register, MicroScope and Computer Weekly. He's also worked for most of the world's largest IT companies in a copy and content producing capacity. He has a particular focus on IT security and has been involved in writing about the industry at various levels ranging from magazine launches to producing newsletters. He also runs a small copy writing business called Art of Words. When not bashing away at a keyboard he can sometimes be found in a boxing gym making futile efforts to keep fit or marveling at the works of Sufi poets such as Jalaluddin Rumi and Hafiz of Shiraz.


One thought on “NEWS ALERT! Massive security flaw threatens Internet

Leave a Reply

Your email address will not be published.


*