How to stay protected for Heartbleed and other OpenSSL flaws

The Anatomy of Heartbleed
To understand what risks the Heartbleed presents to your business it's important to understand what the problem really is.

Heartbleed is the name of a specific flaw that was found in the OpenSSL library of open source programs. This library of programs provides programs and systems with a way of using the SSL and TSL communications protocols. This distinction is important, as it's OpenSSL and not the protocols themselves that are flawed.

Many programs send a repeated signal to systems that they operate with so that the other system knows everything is working correctly. This is called a heartbeat. Think of it as being like the bing a cardiogram machine makes in a hospital telling everyone that the patient's heart is beating correctly.

Heartbleed is a memory-handling flaw in the OpenSSL software that allows up to 64kb of data to be intercepted with each heartbeat. In other words, there was a small data "bleed" with each heartbeat. Hence the name, Heartbleed.

By reading this piece of data, hackers could eavesdrop and capture information such as passwords, private encryption keys and other data that could then be used to compromise systems.

For example, if a malicious party exploited Heartbleed to capture an encryption key they could use to execute a man-in-the-middle attack to capture and decrypt data.

If a website used a cookie that was protected with SSL when used in communications between a user and a server, that cookie could be intercepted and the user's identity for that service could be hijacked.

For example, if a user was accessing a business system that used OpenSSL, a hacker could steal the cookie and then log-in to that system using the data in the cookie and carry out some malicious activity, pretending to be the exploited user.

What does all this mean? Any system that relied on OpenSSL to secure data transmission using SSL and TLS was vulnerable to attack. Once a malicious party had access to the data that leaked through Heartbleed, they could use it infiltrate systems and exfiltrate data.

How did Heartbleed happen? After all, it's an open source code library that is looked at by many people. Surely someone must have noticed that there was a problem?

There's a maxim in open-source development that says "given enough eyeballs, all bugs are shallow". In other words, when there are lots of programmers involved in a project, as is the case in open-source development, bugs are found and remedied quickly as the number of people looking at the code is so large.

According to security consultant Dan Klein one of the problems was a lack of discipline in the developer community. He recently said, “When you look at the Heartbleed bug, and you look at the SSL code, it’s incomprehensible, uncommented and untested. There are no unit tests. Why aren’t the tests there before the code is released?”


Featured Zone: Symantec : Architecting a Cyber Resillient Organisation

Download the Internet Security Threat Report 2014

Hear from Ajoy Ghosh(GM Security & Risk @ Transport for NSW) on "the State of Security Intelligence"

Read about the Top 10 Tips for Cyber Resillience


Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags hackersSSLzimbraTLSsuse linuxredhatOpenSSLHeartbleedexploitedCCS Injection vulnerabilityNSS (Network Security Services)CVE-2014-0160Common vulnerabilities

More about ApacheAppleAustralian Pharmaceutical IndustriesCCSCSOEnex TestLabISACALinuxMicrosoftMozillaRed HatSymantecTrend Micro AustraliaZimbra

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Anthony Caruana

Latest Videos

More videos

Blog Posts