The Heartbleed Bug: Why IT Security Needs an Upgrade

Apr 14, 2014

Security experts and vendors are in high demand after the discovery of the Heartbleed bug, which exploits a vulnerability in the cryptographic tool, OpenSSL. This popular tool provides internet communication privacy and security for applications like the web, instant messaging, email, and some private networks.

Codenomicon, a Finland-based security vendor and a Google researcher discovered the bug on April 4 in the Open Secure Socket Layer, a protocol that encrypts communications between websites and user devices. The pinging of messages back and forth is known as the “heartbeat.” As a result, Codenomicon researchers named the defect, “Heartbleed.”

“The Heartbleed bug allows anyone on the web to read the memory of systems protected by vulnerable versions of the OpenSSL software,” says Codenomicon CEO, David Chartier.

The Heartbleed bug compromises the private keys used to identify service providers and encrypt passwords and user names for certain websites. This gives cyber attackers easy access to user and service provider communications, enables data theft, and allows attackers to impersonate users and services.

Heartbleed potentially affects a large percentage of internet users across the globe, because OpenSSL is the most conventional open source security implementation used to encrypt traffic on the web.

Codenomicon tested the bug on their own services and was disturbed by the results. The vendor says, “We were able to steal secret keys used for our X.509 certificates, passwords, user names, emails, and private communications, without using any type of credentials.”

Security specialist and blogger, Bruce Schneier, says the security flaw is “catastrophic.” On his blog, Schneier says, “Half a million sites are vulnerable, including mine. On a scale of 1 to 10, this is an 11.” The question he poses is whether or not the two-year-old bug was an accident or intentional. “My guess is an accident, but I have no proof.”

Codenomicon and Google developed a fix to the error and released it on April 7. Chartier believes that Heartbleed and other dangerous security flaws will continue to threaten users and service providers until a greater emphasis is placed on testing software for vulnerabilities. Many IT security professionals still utilize a practice called block and protect to defend user information and communication. “This doesn’t work anymore,” says Chartier, “too many of the exploits are written on undisclosed vulnerabilities that you can’t block or find easily. The best defense is secure software.”

Codenomicon creates security testing tools known as fuzzing tools for government, service providers, manufacturers, enterprise, and defense customers. A fixed Open SSL is now available for vendors. Organizations should contact software vendors to check for updates.


Let us help you get a high risk merchant account today!

Get Started

Award winning.

  • 2012
  • 2013
  • 2014
  • 2015
  • 2016

Having a merchant account allows an account holder to take advantage of merchant cash advances. When a merchant is approved for an advance, the business agrees to receive a lump sum of cash in exchange for an agreed-upon percentage of future credit card sales.

Pricing varies depending on the merchant’s industry, past credit card processing history, the type of business seeking the account, average ticket sales, and average transaction volumes.

Yes, EMB works with merchants who are building their credit, as well as those who have poor credit. EMB also approves merchants that have no credit card processing history and businesses that have lost their merchant accounts due to high chargebacks.

Several factors influence a merchant’s risk level. Though only one factor likely will not get a merchant classified as high risk, a combination of these may: business size, location, and industry, credit score, credit card processing history, a industry’s reputation for excessive chargebacks, a prior history of high chargeback ratios, and whether a merchant exclusively sells online.

Virtual terminals are stationed on a merchant’s website, making it easy for customers to make a payment or purchase online. Merchants or a payment processor can easily set up virtual terminals, so online businesses can accept credit and debit card and e-check transactions.

A merchant account is a business account with an acquiring bank. Without this business account, which actually works more like a line of credit, a merchant cannot accept and process credit and debit card transactions. Businesses need a merchant account to accept major credit cards via a static point-of-sale terminal, mobile card reader, or through a virtual payment gateway.

After filling out EMB’s simple online application and submitting any necessary, requested documents, many merchants get approved within 24 and 48 hours.

EMB specializes in working with high-risk merchants. EMB works with many merchants, including but not limited to businesses in these industries: gambling and gaming, adult entertainment, nutraceuticals, vaping and e-cigarettes, electronics, tech support, travel, high-end furniture, weight loss programs, calling cards, e-books and software, and telecommunications.

Live Chat