Heartbleed OpenSSL Vulnerability

On a daily basis users rely on encryption to protect their sensitive data. A vulnerability in the way encryption is handled may result in the unauthorized disclosure of IDs, passwords, credit card data, session cookies, and other sensitive information.

Versions of OpenSSL, a library of publically available software, have a handling bug in the implementation of the TLS Heartbeat Extension that could be used to reveal up to 64KB of memory. 64KB may not sound like much, but an attacker can repeatedly use the bug to collect additional information. The 64KB area of memory is known as the heap and is positioned near the bottom of memory. Information available to an attacker will depend upon what was stored in the memory at a specific point in time.

By reading the memory, an attacker can gain access to sensitive information as well as a server's private key, the key used to encrypt and protect information. With the server's private key, an attacker can break the encryption of earlier communications to read what was thought to be protected information. By reading sensitive information, an attacker can leverage the information to implement man-in-the middle attacks and hijack the identity of users.

Unless new keys are generated, an attacker could intercept and read traffic even after the Heartbleed OpenSSL vulnerability has been patched.

Altius IT recommends organizations take the following steps to address this vulnerability:

1. Update. Contact vendors to determine if their software or product is vulnerable. If so, identify when a fix, patch, or upgrade will be available. Backup your system or device. Apply the patch using vendor supplied instructions. Follow formal patch and change management procedures, testing the updates in a non-production environment before rolling out to production systems.
2. New keys. Follow vendor recommended steps to generate a new certificate and key. This ensures that old private keys that have been compromised can't be used to read encrypted information. Revoke your old key and certificate so that they cannot be used.
3. Restart. Follow vendor instructions and restart the system or device.
4. Test. Test to ensure the vulnerability has been properly addressed.
5. Passwords. Notify computer system users (customers, staff, suppliers, etc.) that they should change their passwords.

Network security audits help organizations identify, manage, and reduce their risks. Formal and documented policies ensure a top down approach to managing encryption and network security risks.