Heartbleed could have already exposed your personal data, experts warn

Consumers may well have lost sensitive data without even knowing it due to the high-profile 'Heartbleed' vulnerability discovered this week in the world's most popular software for managing secure e-commerce and other connections.

The vulnerability, officially known as CVE-2014-0160, affects the OpenSSL implementation of the Secure Sockets Layer (SSL) technology used to encrypt data between browsers and Web sites to facilitate the exchange of private information such as passwords and credit card details.

Detected by Google Security's Neel Mehta, the vulnerability involves the poor handling of TLS heartbeat signals, which allow a malicious outsider to take information from a client system in 64KB chunks big enough to contain an entire Web page, numerous pages of a document, or even part of a digital image.

This information could also include the encryption keys that form the basis of Web site security; a description by Codenomicon, a group offering a detailed description of the bug and its implications, describes those keys as “the crown jewels” that “...allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”

“Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed,” the group added. “Recovery from this leak requires patching this vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption.”

OpenSSL's short security advisory – and its fix for the problem with the release of OpenSSL v1.0.1g – belies the severity of the problem, which has been called a “ big deal” by security experts that have seen all manner of vulnerability in the past.

That's because OpenSSL is the default encryption toolkit for Web servers such as Apache, which singlehandedly runs more than half of all active Web sites. It's also more likely to hit Mac OS X and Linux systems, which tap into open-source libraries and are more likely to be running software that uses OpenSSL.

The implications for everyday Web users are significant, according to Ty Miller, principal of security consultancy Threat Intelligence, who warns that the ubiquity of OpenSSL may leave all kinds of devices vulnerable.

“The vulnerability doesn't only affect servers,” he said. “It affects any software that uses the vulnerable version of OpenSSL on your laptop, mobile device, TV, fridge, and so on....Now that the vulnerability has been released and confirmed to be exploitable, publicly available exploits are already being worked on and released. It won't be long before systems are becoming compromised.”

Security enthusiasts were scrambling to quantify the extent of the problem, which is said to have affected 1312 of Alexa's current top 10,000 web sites – ranging from Yahoo, Akamai, NASCAR, Gamespot, Creative Commons, and the Victorian State government to security firms McAfee, Symantec, Avast!, and others.

Website administrators must upgrade their OpenSSL implementation immediately, although experts warn that the need to re-issue digital certificates – a complex and painstaking process – will complicate things significantly.

“If your Web browser or email client uses a vulnerable version of OpenSSL and you visit a malicious SSL server, then you could have data stolen directly from your laptop without even knowing it,” Miller warned. “This could be anything from a photo of your cat through to your banking username and password.”

“Realistically, consumers won't be the direct targets since there is an enormous number of SSL servers on the Internet who will become the first victims. This vulnerability is likely to lead to large scale security breaches of organisations, cloud environments, and Web applications. But the arguably scarier part of this vulnerability is that it doesn't leave a trace.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerabilitieshackersdata encryptionsecuritydata breachHeartbleedsecure SSLcybercrimeOpen SSL

More about Akamai TechnologiesApacheAvastCreativeGoogleLinuxMcAfee AustraliaNASCARSymantecThreat IntelligenceYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts