April 9, 2014 certainly will be a memorable day in the cyber security history books. As the Internet swirled with the end of support for Windows XP, a vulnerability came to light that I would say is probably one of the most severe in terms of potential impact that I’ve seen in a while: the Heartbleed OpenSSL vulnerability. In short, SSL encryption makes network and internet traffic unreadable to anyone who intercepts it, thereby protecting the sensitive data and personal information being transmitted.
OpenSSL is commonly used by software to perform SSL encryption. The gist of the vulnerability is that attackers who exploit it are able to steal the encryption keys from internet servers and desktop software using OpenSSL for encrypting network traffic. They can then use those keys to decrypt the data. Making matters worse, even if vulnerable software is patched, previously captured encrypted communications can be still decrypted using the compromised keys.
The security implications of this are very real – a significant amount of the software we implement today uses the OpenSSL library for encryption, affecting many popular server and desktop software packages and therefore putting business servers, corporate desktops and at-home users all at risk.
This is an excellent example of vulnerabilities that exist within encryption products just waiting to be discovered. This particular programming error was introduced in December 2011 with OpenSSL version 1.0.1. Criminals could have been using it; intelligence agencies like the NSA could have been exploiting it; it’s hard to say what those organizations have in their arsenal, being used quietly.
I would recommend for organizations and users themselves to pay extra attention over the next few weeks to make sure all their software is patched and up-to-date. For system administrators especially, it’s imperative that they mitigate the vulnerability as quickly as possible. There are plenty of commercial offerings out there to help with patch management. For home users, I’d recommend the free Secunia (News - Alert) PSI software. For more tips and information on this vulnerability, check out the security researchers’ website, http://heartbleed.com.
Lucas Zaichkowsky is Enterprise Defense Architect at AccessData.