Earlier this week the “Heartbleed Bug” became a news headline. Despite its prominence in the news, many are left wondering exactly what the bug is and how it may affect them.
The Heartbleed bug is an extremely serious vulnerability in the widely used Open Source cryptographic software library, OpenSSL.
Over half a million websites that you likely interact with on a regular basis employ the OpenSSL TSL heartbeat extension, including Twitter, Yahoo, GitHub, Tumblr, Steam and the Commonwealth Bank of Australia.
The vulnerability allows a malicious attacker access to extract 64kb of memory at any one time. In a world where it is not uncommon for average Joe to have a 1 terabyte hard drive in their pocket, “64kb” may not sound like a lot… But believe us, 64 kilobytes is more than enough for a malicious attacker to extract extremely sensitive information (such as usernames, passwords and financial data) from a server’s memory.
The vulnerability can also be exploited to extract a server’s private key, which can then be used to decrypt all communications.
In short, it is the worst security vulnerability we have seen to date.
In addition, the vulnerability has been in circulation for an extremely long time – first introduced to the software library on 31st of December 2011.
What should you do?
Please be aware that there are malicious “honeypot” traps online posing as legitimate test sites. We recommend using the detection steps outlined on our blog to ensure that you are not exposing yourself to one of these.
Please review these steps as a priority to ensure your installation is not vulnerable and please contact atmail Client Services if you require any assistance.
You should also encourage your clients, your family and your friends to change their passwords on any and all websites that contain sensitive data. (Provided, of course, that the website has released a statement to assure you that they have patched the vulnerability).
Stay vigilant. Monitor your credit card statements and bank activity to identify and report any unauthorized activity..
More information is available at www.heartbleed.com
Article originally posted in the atmail newsletter. Sign up here.