With Heartbleed, time is not on your side, according to a network security expert
Guy Hembroff, associate professor and chair of the Computer Network and System Administration program at Michigan Technological University, says time is of the essence in dealing with the latest network security bug, Heartbleed. And it's not just network security experts who should be concerned. Hembroff says everyone is at risk.
To provide security over the web and to avoid eavesdropping, Hembroff esplains, browsers use a cryptographic protocol called Secure Socket Layer (SSL), essentially the security or the "s" in "https.”
“OpenSSL, the open-source version of SSL is used to protect web communications around the globe, currently the default cryptographic library in nearly two thirds of all active websites, according to an April 2014 survey conducted by Netcraft,” he says.
OpenSSL permits security communications to be more efficient and stay open without having to renegotiate security protocols, Hembroff says. Servers store a wealth of confidential data, which is not usually a problem, but with Heartbleed in OpenSSL, attackers can force the server to give up its data, 64 kilobytes at a time until they have what they need.
“This includes names, passwords, medical data, credit-card numbers and many other types of sensitive data,” he says. “Even the server’s secret keys can be compromised, giving the attackers further power to obtain user information that has been deemed ‘protected’ and gives attackers the capability to impersonate both services and users, doing so anonymously.”
And the solutions?
“Everyone should worry about Heartbleed and should change passwords,” he says. “An average user logging into their Amazon account may be logging into a server that was compromised. If that is the case, their username, password, and account information (such as address and credit-card information) would be in the memory of the server where the vulnerability is targeted. Therefore changing passwords of these accounts is important.”
As for the servers, “A patch has been issued and available in OpenSSL’s version 1.0.1g. It should be upgraded immediately,” Hembroff stresses. “However, this is not enough. With the potential to access sensitive information, there is a high probability that data has already been compromised, with no way of knowing for certain. To be cautious, new public/private key pairs should be created and administrators should change every password to ensure that attackers will not have access into the system, even after the patch has been applied. For large organizations, this is a lot of work and can be time-consuming, however it should be done sooner than later.”