Security experts and vendors are in high demand after the discovery of the Heartbleed bug, which exploits a vulnerability in the cryptographic tool, OpenSSL. This popular tool provides internet communication privacy and security for applications like the web, instant messaging, email, and some private networks.
Codenomicon, a Finland-based security vendor and a Google researcher discovered the bug on April 4 in the Open Secure Socket Layer, a protocol that encrypts communications between websites and user devices. The pinging of messages back and forth is known as the “heartbeat.” As a result, Codenomicon researchers named the defect, “Heartbleed.”
“The Heartbleed bug allows anyone on the web to read the memory of systems protected by vulnerable versions of the OpenSSL software,” says Codenomicon CEO, David Chartier.
The Heartbleed bug compromises the private keys used to identify service providers and encrypt passwords and user names for certain websites. This gives cyber attackers easy access to user and service provider communications, enables data theft, and allows attackers to impersonate users and services.
Heartbleed potentially affects a large percentage of internet users across the globe, because OpenSSL is the most conventional open source security implementation used to encrypt traffic on the web.
Codenomicon tested the bug on their own services and was disturbed by the results. The vendor says, “We were able to steal secret keys used for our X.509 certificates, passwords, user names, emails, and private communications, without using any type of credentials.”
Security specialist and blogger, Bruce Schneier, says the security flaw is “catastrophic.” On his blog, Schneier says, “Half a million sites are vulnerable, including mine. On a scale of 1 to 10, this is an 11.” The question he poses is whether or not the two-year-old bug was an accident or intentional. “My guess is an accident, but I have no proof.”
Codenomicon and Google developed a fix to the error and released it on April 7. Chartier believes that Heartbleed and other dangerous security flaws will continue to threaten users and service providers until a greater emphasis is placed on testing software for vulnerabilities. Many IT security professionals still utilize a practice called block and protect to defend user information and communication. “This doesn’t work anymore,” says Chartier, “too many of the exploits are written on undisclosed vulnerabilities that you can’t block or find easily. The best defense is secure software.”
Codenomicon creates security testing tools known as fuzzing tools for government, service providers, manufacturers, enterprise, and defense customers. A fixed Open SSL is now available for vendors. Organizations should contact software vendors to check for updates.