On Monday, April 7th, the Internet suddenly hit crisis mode. As reported by the OpenSSL project, a bug called Heartbleed was on the loose – and it was deadly. Heartbleed could pull a chunk of working memory from any server running the current version of OpenSSL, allowing attackers to access data traffic. OpenSSL had provided an emergency patch, but tens of millions of servers were already exposed.
Heartbleed is more insidious – and more deadly – than Apple’s notorious GoToFail bug, which hit networks earlier this year. The OpenSSL attacks more computers and causes bigger problems – permitting attackers to pose as the server and eavesdrop on data traffic. And it’s been operating under the radar for two years, a disturbingly long time. According to Nicholas Weaver, an ICSI security researcher, “It is catastrophically bad, just a hugely damaging bug.”
Heartbleed allows hackers to pull out 64k of random memory from any given OpenSSL server. (And this is a big problem, since about 2 out of every 3 servers currently rely on OpenSSL software.) The hack can be performed multiple times, allowing attackers potential access to large amounts of sensitive data.
Ultimately, the bug targets the server’s private encryption keys, which can be easily identified in the server’s memory. Once the encryption keys are lifted, the bug can start spying on the server’s incoming and outgoing traffic.
The bug has sparked a mass panic – because it affected huge swathes of the Internet. Yahoo executives advised users to avoid their accounts until the emergency patch had been installed across Yahoo servers. Countless smaller companies like LastPass, Imgur and Flickr are also scrambling to implement a fix. Generally, any server running Nginx, Apache or OpenSSL will be affected, compromising countless websites and services.
Fortunately, Google, Apple and Microsoft appear to be safe, as well as most major e-banking sites. The Tor Project suggests that web users “stay away from the Internet entirely for the next few days” if they are concerned about anonymity or privacy.
If you’re concerned about accessing compromised sites, you should take advantage of several tools: first, a diagnostic site that tells you whether a site has been repaired with the new patch. (Be aware that this site does produce some false negatives, so the results are not definitive.) Then, check an SSL tracker to make sure the site has also been issued a new SSL certificate after the date of the patch (an older SSL certificate may be using keys that were compromised by Heartbleed).
The Heartbleed bug is an ongoing fix. And that’s not all bad – the bug has raised important security issues that will spark more comprehensive solutions in the future. (For one, experts are already suggesting better funding for OpenSSL, to help prevent future breaches.)
Heartbleed also underscores the need for obsessive-compulsive managed hosting. In order to minimize security breaches, IT professionals need to “ride herd’ on servers 24/7/365. Did we mention that EndLayer had patched and secured all sites on our network a few moments after OpenSSL issued the warning? Our sites are currently up, running and uncompromised, while many other networks are still floundering.
But that’s what we do. We keep our servers safe....all the time.
If you're not sure about the current security state of your website, please feel free to reach out to EndLayer to inquire on how a security assessment/consultation could help you stay protected.
August 30, 2017
October 12, 2016
October 7, 2016
July 27, 2016
July 21, 2016