BLOOMINGTON, Ind. -- A major vulnerability affecting a large number of encryption systems on the Internet was disclosed this week, and an Indiana University informatics and cybersecurity expert says anyone with an online connection could be at risk.
The Heartbleed Bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL, a widely used encryption system, thereby obtaining access to the secret keys used to encrypt online traffic and data, said Steven Myers, associate professor of computer science and informatics and senior fellow with the university’s Center for Applied Cybersecurity Research.
The Heartbleed Bug therefore gives attackers the potential of eavesdropping on communications, stealing data and even impersonating services and users, he said.
"This is a critical flaw that needs to be taken seriously and patched as quickly as possible,” Myers said.
“Exploits currently exist. Further, new cryptographic keys for affected systems need to be issued along with revocation of previous cryptographic certificates. Systems where passwords are only encrypted via the affected systems should be reset as soon as possible.
“In addition,” Myers continued, “precautions similar to traditional data-breaches on affected system need to be followed.”
The Heartbleed Bug is especially dangerous for three reasons:
-- It not only allows access to data and communications protected with the vulnerable version of OpenSSL distributed over the past two years; it also allows attackers to impersonate both users and services, thereby obtaining access to additional information in the future.
-- The Heartbleed Bug leaves no trace of past activity, leaving unknown what data and communications have been accessed.
-- Even once a system is patched, any traffic intercepted by the attacker in the past is still vulnerable to decryption and unauthorized use.
The scope of the vulnerability is not known, and it is not possible to determine systematically which data and communications may have been compromised. However, OpenSSL is the most popular open-source encryption tool. It is relied on by open-source Web servers like Apache and Nginx, which reportedly account for 66 percent of active Internet sites.
OpenSSL is also used to protect email servers, chat servers, virtual private networks and both institutional and personal websites. Traffic and data connected with any site protected with a vulnerable version of OpenSSL is at risk.
Steven Myers can be reached at firstname.lastname@example.org or 812-856-1860.
The Center for Applied Cybersecurity Research is affiliated with IU's Pervasive Technology Institute and works closely with its partner organizations at the university: CLEAR Health Information, the Maurer School of Law, the Kelley School of Business, the School of Informatics and Computing, REN-ISAC, the University Information Policy Office and the University Information Security Office.