It was on December 31, 2011, that a piece of flawed code in the Heartbeat Extension was implemented into OpenSSL. This piece of code, which was later to be named the ‘Heartbleed’ bug – or CVE-2014-0160 as it’s known in technical terms – has made headline news throughout the world, invoking a sense of paranoia rather than a genuine understanding of the issues at stake. As with most news stories which are complicated in nature, the general impact is one of fear.
This is quite natural considering our passwords and privacy may have been exposed to third parties, and the fact that very few of us have expert knowledge of the ins-and-outs of OpenSSL software. We need to understand if our fears are legitimate or not, so let’s have a look at what exactly Heartbleed is?
Heartbleed affects OpenSSL. OpenSSL allows your computer to communicate with various websites without information being made available to anyone looking in. Without this, usernames and passwords could be readily exposed, especially on vulnerable mobile devices.
The communication described above, between computer and server is called ‘heartbeat.’ In the past heartbeat only sent back the same info that it received, but with the Heartbleed bug, it can request extra data of up to 64kilobytes. Although this isn’t much, it can keep requesting as much as it feels necessary to extract the amount of information it needs. This is why the bug was dubbed the ‘Heartbleed’ bug.
Business often relies on OpenSSL and has duly rushed to upgrade to OpenSSL 1.0.1g, but it’s hard to assess what damage may have been done or what information might have been stolen.
Businesses often use an Enterprise Mobility Management Solution (EMM) to upgrade their security. Management platforms like MDM or MAM are very popular, and could gain more status in the weeks to come. Users of these services tend to stress that the above solutions must be properly configured for them to work to their full potential. It has been an even bigger concern after April 7, 2014, the day Heartbleed was publicly disclosed.
Modern business is now crammed full of company issued smartphones, tablets and laptops, so awareness of these dangers should be paramount to any organisation which values its security.
Businesses have been updating security certificates en masse due to rare cases of banking apps being hooked up to servers that were vulnerable to attacks.
It was initially thought that around 60% of servers may have been affected, which makes the furore more understandable; now they estimate it may have afflicted around 17% of servers which will be a big relief to a lot of businesses.
We live in a world of complicated technical jargon and we can’t be expected to understand every piece of information we are warned about in the media. What we can do on an everyday level is to change our passwords more regularly and never use the same passwords across a range of different websites. To the everyday user of modern technologies this seems to be the best advice to tackle Heartbleed. Business users should look into EMM solutions on top of Open SSL.
The question we ask is, will Heartbleed affect my business? Well, it could if you’re not up to date with your security patches. However, it should come as a relief that only 17% of servers were actually affected by the Heartbleed bug, but anyone concerned about their mobile phone may want to install patches to Android 4.1.1, which Google claims is the only version of its OS that could be affected.
Heartbleed – Believed To Have Affected 17% Of Servers