The Anatomy of Heartbleed
To understand what risks the Heartbleed presents to your business it's important to understand what the problem really is.
Heartbleed is the name of a specific flaw that was found in the OpenSSL library of open source programs. This library of programs provides programs and systems with a way of using the SSL and TSL communications protocols. This distinction is important, as it's OpenSSL and not the protocols themselves that are flawed.
Many programs send a repeated signal to systems that they operate with so that the other system knows everything is working correctly. This is called a heartbeat. Think of it as being like the bing a cardiogram machine makes in a hospital telling everyone that the patient's heart is beating correctly.
Heartbleed is a memory-handling flaw in the OpenSSL software that allows up to 64kb of data to be intercepted with each heartbeat. In other words, there was a small data "bleed" with each heartbeat. Hence the name, Heartbleed.
By reading this piece of data, hackers could eavesdrop and capture information such as passwords, private encryption keys and other data that could then be used to compromise systems.
For example, if a malicious party exploited Heartbleed to capture an encryption key they could use to execute a man-in-the-middle attack to capture and decrypt data.
If a website used a cookie that was protected with SSL when used in communications between a user and a server, that cookie could be intercepted and the user's identity for that service could be hijacked.
For example, if a user was accessing a business system that used OpenSSL, a hacker could steal the cookie and then log-in to that system using the data in the cookie and carry out some malicious activity, pretending to be the exploited user.
What does all this mean? Any system that relied on OpenSSL to secure data transmission using SSL and TLS was vulnerable to attack. Once a malicious party had access to the data that leaked through Heartbleed, they could use it infiltrate systems and exfiltrate data.
How did Heartbleed happen? After all, it's an open source code library that is looked at by many people. Surely someone must have noticed that there was a problem?
There's a maxim in open-source development that says "given enough eyeballs, all bugs are shallow". In other words, when there are lots of programmers involved in a project, as is the case in open-source development, bugs are found and remedied quickly as the number of people looking at the code is so large.
According to security consultant Dan Klein one of the problems was a lack of discipline in the developer community. He recently said, “When you look at the Heartbleed bug, and you look at the SSL code, it’s incomprehensible, uncommented and untested. There are no unit tests. Why aren’t the tests there before the code is released?”
Featured Zone: Symantec : Architecting a Cyber Resillient Organisation
Download the Internet Security Threat Report 2014
Hear from Ajoy Ghosh(GM Security & Risk @ Transport for NSW) on "the State of Security Intelligence"
Read about the Top 10 Tips for Cyber Resillience