CST | Industry & Security News

May 26, 2014

Heartbleed: what to do next

A new type of vulnerability has been receiving a huge amount of media attention in recent weeks. So what are the threats posed by Heartbleed and what can users do to protect themselves?

When the news of Heartbleed broke a few weeks ago, business owners understandably started to panic. The OpenSSL vulnerability was seen by many as a significant blow for both web security and the concept of open source development.

While the scare has since died down a little, some businesses still have some work to do to ensure safety. So what is it all about and what needs to be done to mitigate the risks?

A security cock-up - not a virus

You cannot ‘catch’ Heartbleed as such. Despite reports of this threat being a 'virus’ or a ‘hack’, it was basically a security cock-up at internet level which left lots of private internet data vulnerable.

Digital Spy described it as follows: "Imagine the internet is a castle and SSL/TLS encryption is a part of the wall and moat around it used to keep out invaders. A mistake by a German software programmer basically left a small door open in the wall for invaders to get in."

When the vulnerability was first highlighted, very few people knew it existed, meaning the risks were relatively low. Now it’s been spread across the world’s news outlets, however, more hackers will be looking to capitalise.

Companies first need to check whether their OpenSSL versions have been affected. Firms using OpenSSL 0.9.8 and 1.0.0 won’t have been impacted by the discovery and are safe to continue without taking any action. Those utilising all versions between OpenSSL 1.0.1 and 1.0.1f can’t afford to sit around.

Digital Spy described it as follows: "Imagine the internet is a castle and SSL/TLS encryption is a part of the wall and moat around it used to keep out invaders. A mistake by a German software programmer basically left a small door open in the wall for invaders to get in."

Upon finding out that they’ve been affected, companies must update to the most recent version of OpenSSL, before revoking any compromised cryptographic keys and reissuing X.509 certificates with new ones.

By now, most IT firms will have released bug fixes for their products, so CIOs should make sure their software, operating systems and devices are patched accordingly. Once all of this has been done, companies need to advise all users - internal and external - to create new passwords; only then can safety be assumed.

It is worth pointing out that with most security risks, the user can normally do something about it themselves. However, with the Heartbleed issue, the user is pretty much powerless as it’s the business that owns the web site that has to apply the fix. As with the analogy about the castle above, the castle visitor on market day can keep visiting the castle to do his usual business thinking they are safe from the bad guys, however, the bad guys are still free to wonder in and ambush him through the hole in the wall - it’s the castles builder that has to gets the wall fixed!

And worryingly as the vulnerability could allow the bad guys to access the users password and user ID details, it could also mean that other sites that the users visited could be breached, NOT because these other sites are vulnerable, but because users through habit will use the same password, for different sites.

If you are concerned about keeping your web site secure and safe, please READ OUR WEB SECURITY ADVICE.