Published on the 15/04/2014 | Written by Newsdesk
Recent evidence suggests that the Heartbleed vulnerability is something business should be genuinely concerned about…
Analysts at Ovum are calling the Heartbleed OpenSSL vulnerability, which has the potential to expose sensitive user data, “the most dangerous and potentially damaging” of SSL and TLS protocol breaches.
Principal analyst for infrastructure and software at Ovum, Andrew Kellett, says: “For businesses there are two sides to the problem. Organisations can become victims if sensitive information and credentials are exposed during online transactions, and they can be part of the problem if their own use of unpatched OpenSSL facilities puts customers, clients, and business partners at risk.”
According to a new blog post by Symantec’s technical director for security technology and response, Eric Chien, while most popular public websites are no longer vulnerable, the OpenSSL protocol is used across the internet and extends beyond pure web servers making client software (such as web clients, email clients, chat clients, FTP clients, mobile applications, VPN clients and software updaters) vulnerable too – although Chien suggests it may be difficult to exploit them in real-world scenarios.
“In addition, Heartbleed affects proxies, media servers, game servers, database servers, chat servers and FTP servers. Finally, hardware devices are not immune to the vulnerability,” he says. “It can affect routers, PBXes (business phone systems) and likely numerous devices in the internet of things.”
Although fixes and patches are available, the extensive use of the OpenSSL protocol means the Heartbleed breach is “a big problem” according to Kellett.
“It will be very difficult to fix and to be sure that the problem has been cleared and gone away. Even after internet website vulnerability patches have been applied, it will be difficult for consumers and business users to know if the facilities they are using have been updated and are safe. It will also be difficult to know whether previous transactions undertaken before fixes were applied have put personal data, identity information, and user credentials at risk.”
Symantec is offering the following advice:
Advice for businesses:
- Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
- After moving to a fixed version of OpenSSL, if you believe your web server certificates may have been compromised or stolen as a result of exploitation, contact the certificate authority for a replacement
- Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory
Advice for consumers:
- You should be aware that your data could have been seen by a third party if you used a vulnerable service provider
- Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
- Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
- Monitor your bank and credit card statements to check for any unusual transactions
In addition you might want to:
- Avoid visiting unknown domains with any client software, which accept Heartbeat messages using the vulnerable OpenSSL libraries
- Stop using proxy services that have not been patched
- Update software and hardware as vendors make patches available
- Use a VPN client and service confirmed as not vulnerable to Heartbleed when on public networks
