This week, the technology world is abuzz with news of the newest security threat: An OpenSSL programming error called Heartbleed. Unless users have been living under a rock for the past few days, they’ve undoubtedly heard about the issue, and many are concerned about how to secure their computing systems.
Heartbleed: What is it?
Heartbleed was recently discovered by security researchers as an error within the widely-utilized OpenSSL encryption software library. Where encryption usually renders protected information unreadable, the Heartbleed flaw in OpenSSL allows cybercriminals to access this content, as well as internal decryption keys. Although it was only recently uncovered, the error has been in the platform for about two years. This provides a serious exploitable weakness in every platform that leverages the OpenSSL cryptographic software library.
“The Heartbleed bug allows anyone on the Internet to read the memory of systems protected by the vulnerable versions of the OpenSSL software,” stated Heartbleed.com. “This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Current impact of Heartbleed
While experts cannot currently estimate all the systems that may be affected, one security researcher recently scanned the Web for the flaw and made a startling discovery. Out of 28 million SSL-utilizing hardware systems, approximately 600,000 of them were affected by Heartbleed. Although one-third of these machines have been patched, this still represents a considerable number of components that could be leaving content open to cybercriminals.
Furthermore, experts not only worry about the amount of machines that could have been compromised, but how the flaw will be leveraged by hackers and other groups.
“Certainly, nation-states will have the best capability to quickly weaponize this vulnerability for large-scale exploitation,” said security expert Bruce Schneier.
How to protect against Heartbleed
For this reason, it is important that website operators, enterprises and individuals take steps to protect themselves from this flaw.
The first step to take in these regards is to remove the affected OpenSSL protocol from any systems that use it and install the security patch. Administrators should then seek out new certificates as soon as possible. Additionally, organizations should protect their servers with a restoring software like Deep Freeze Server, which can restore the system to predetermined settings to mitigate information compromises from Heartbleed. Decision makers can also consider implementing a computer monitoring system to scan for suspicious activity that could come as a result of unauthorized access through the Heartbleed flaw.
Users should check with the websites where their personal accounts are located to ensure that they have addressed the issue. If the page is patched, they should change passwords immediately.