Does your heart bleed with this bug?


heartleed

There was a bug in one line of a code that nobody noticed for years. It was not an issue until recently when somebody was able to exploit that vulnerability. How? Typically internet was built on trust and there was no private information earlier. It was a synchronous transfer of information. Which means that the sender and receiver both had the same key but they don’t use it to exploit each others information.

Think of it more like when you want to travel for few days and you want to give a key to someone so that they can feed your cat. You give the key based on trust factor. In this case, the key could be exploited to get access to information that you would not have access to.

Technically, what does it mean?

A Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites that need to transmit the data that users want to keep secure. OpenSSL is an open-source implementation of SSL and its successor protocol, TLS (which stands for Transport Security Layer). It basically gives you a secure line when you’re sending an email or chatting on IM.

Heartbleed is a recently discovered bug in OpenSSL that could allow an attack to read information off a Web server even though it’s supposed to be secured against intrusion. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.

The good news is that there is no evidence till now that it has been exploited mainly because there is no trace on the server.

Theo De Raadt who is one of the founders of OpenSSL comments that: “OpenSSL has exploit mitigation countermeasures to make sure it’s exploitable”

The vulnerability and threats may come in any share or form. You need to be prepared through multiple layers of security to ensure that these zero-day attacks don’t bring down your organization.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s