TrainACE - IT and Cybersecurity Training Blog

Using OpenSSL? Heartbleed Bug may be affecting you now.

[fa icon="calendar"] Apr 9, 2014 10:45:08 AM / by Christian Crank

Security researchers have recently discovered a major vulnerability in widely used encryption software that could potentially cause widespread, severe damage to the private data of millions of people around the globe. OpenSSL is a cryptologic software that used by millions of websites throughout the internet to encrypt communications between users and webpages. That data now stands at risk due to the vulnerability, which obviously is causing major concern for end-users and website owners alike. More than a half a million websites are already currently at risk.

The “Heartbleed Bug” (formally referred to as vulnerability CVE-2014-0160 which is a Common Vulnerabilities and Exposures, which is the standard for information security vulnerability names) enables a user to read the memory of systems protected by vulnerable versions of OpenSSL software. The bug specifically goes after the TLS/DTLS (transport layer security protocols) heartbeat extension. This memory leak then allows information to be seen by clients (Server->Client or Client->Server). Next, encryption keys are leaked, permitting anyone to impersonate services at will. The bug also allows leakage of usernames and passwords, private communication, and details such as memory addresses and security measures that would otherwise protect against certain attacks. OpenSSL has quickly released a fix for this vulnerability, though many companies and users have not yet upgraded their systems. It is imperative that all individuals take this vulnerability very seriously since the bug leaves no traces of abnormality in log data.

Though this vulnerability is a major event, you can take action now to prevent damage. Want to see if a specific website you use could be affected by the vulnerability? Use Filippo Valsorda's tool to find out. Additionally, if you’d like more information on this bug, make sure to read about it on the official website.

Topics: Cybersecurity, encryption, Uncategorized

Christian Crank

Written by Christian Crank

Need IT Certifications?
Want more info?

Call (301) 220-2802

Speak with a Program Manager