April 9th 2014
A number of technology firms are urging web users to change all of their passwords to avoid their data being compromised. However, this may not be the best advice until thousands of 'everyday' websites have been protected by a new fix.
The problem – which could affect all of us – follows the discovery that some versions of OpenSSL – a security package used to safeguard data – could be infiltrated to access that data. The vulnerability enables cybercriminals to steal the cryptographic keys used to secure ecommerce and web connections. Hundreds of thousands of web and email servers worldwide may be affected.
OpenSSL is the most common technology used to secure websites. It enables web servers to securely send the visitor an encryption key that is then used to protect all other information coming to and from the server, protecting online shopping, banking and other secure services.
Heatbleed enables attackers to read the confidential encrypted data and also steal the encryption keys used to secure the data. Even servers which fix the bug using a patch supplied by OpenSSL, must also update all of their keys, or risk remaining vulnerable.
Security group Codenomicon, which discovered the flaw, claims that the bug can cause servers to leak other information stored on the server which would not normally be available at all, for example providing the ability to see searches made by other users on search engines. This, says Codenomicon, effectively makes servers vulnerable to Heartbleed less secure than they would be if they had no encryption whatsoever.
Changing passwords, which should normally be done periodically as good practice, is probably not the answer, as any new password you change to could still be vulnerable until the problem is fixed on the servers the affected websites use. However, you should be extra vigilant and check for unusual activity on your onlne accounts … banking, shopping and anything else that involves payments or private information.
Symantec's advice is as follows:
– You should be aware your data could have been seen by a third party if you used a vulnerable service provider.
– Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to you that you should change your passwords, you should do so.
– Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.
– Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.
– Replace the certificate on your web server after moving to a fixed version of OpenSSL.
– Finally, and as a best practice, you should also consider resetting end-user passwords that may have been visible in a compromised server memory.
The versions of OpenSSL that are vulnerable are 1.0.1 through 1.0.1f (inclusive). Versions 1.0.1g, 1.0.0 branch and 0.9.8 branch are not affected.
For more information on the Heartbleed bug, please click here.
Image credit: Codenomicon