heartbleed security bug

If You Don’t Know About Heartbleed – Begin Here

Heartbleed Security Notice

ღ If you haven’t heard about this very serious Internet security flaw, don’t click away from this screen until you read this information. Ignoring this may not be in your best interest. ♥

There is a major flaw in the security of the World Wide Web named Heartbleed; it’s so serious it has Internet security teams, business organizations and some individuals scrambling to close the leak. I posted a message about this on my SkillfullDesign blog 3 days ago but there are still a lot of people in the dark about this problem and how it affects them.

A massive vulnerability has been found in OpenSSL, the open-source software package routinely used to encrypt secure Web communications. On a 1 to 10 scale of serious Internet security concerns, this one rates a 9.5.

The flaw allows attackers to steal the information that is normally protected by SSL/TLS encryption, which is used to protect Internet communications to many financial institution applications, e-mail communications, instant messaging (IM) and some virtual private networks (VPNs). Anytime you notice your web browser display https://www.yoursite.XXX instead of http://www.yoursite.XXX, you are connected through supposedly secure communications.

What this means to many Internet users, they have had their security information (passwords – bank account numbers – social security numbers and credit card information grabbed and it may be used by someone to gain unauthorized access. All passwords, private communications and even credit card information could be available to hackers courtesy of this newly discovered bug.

What must you be aware of and what steps should you take.

The Heart Bleed virus has been affecting millions of websites on the Internet for two years, but there are ways to protect yourself from the bug. You need to check the sites you use against the list of known compromised sites. If a major website is still vulnerable to the Heart Bleed bug, changing a password won’t matter. If your site passes, change your password. Be sure to test anything you do on-line connected with payment or financial information. If you don’t connect to your bank on-line, there’s no need to test. If you use email, social media web sites such as Facebook for example, then check them by entering their address.

Click on this link to find out if any web site you use & requires a password is vulnerable to an attack.

filippo.io/Heartbleed

Watch this video if you want to learn more.

IT professionals should refer to this information.


What’s an SSL heartbeat?
The Heartbeat Extension is a protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS. It’s a check to see if the connection on the other end is still present or if they’ve dropped off. When they’re still there, the heartbeat keeps the session context between the peers alive. Without the heartbeat, the only way to do this is through a communication renegotiation which creates higher data usage and thus slower transaction rates.

The compromise came about through the packet buffer size. There was no length check for this particular allocation and an attacker could force the Openssl server to read arbitrary memory locations. An attacker can control the heartbeat size and structure it to be larger than expected, initiate it to the target server using TCP on port 443 and receive a response that contains up to 64kb data in a memory allocation outside the bounds of what the heartbeat should be able to access. Do it again with a different heartbeat size, get another 64kb response from another memory space. This raw information may reveal the username and/or password.

What versions of the OpenSSL are affected?

  •     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  •     OpenSSL 1.0.1g is NOT vulnerable
  •     OpenSSL 1.0.0 branch is NOT vulnerable
  •     OpenSSL 0.9.8 branch is NOT vulnerable
Advertisements

2 thoughts on “If You Don’t Know About Heartbleed – Begin Here

  1. Jack Bowdle

    Mike, what are the three things the common man (or woman) should do today to avert this threat?

    1. Mike Livingston Post author

      This is an excellent question. I’m going to suggest more than 3 things.
      1. Assume the worst. All of the Internet sites you have used which require a username and password have been compromised. This bug existed for two years, more than enough time to have done damage.
      2. This was a list of 1000 sites as of the 8th of April known to either be secure or have vulnerabilities. Check it to be sure.
      3. Test your suspected site (financial institution name – online email account, etc.) using this tool Heartbleed test.
      4. If your site passes, login and change your password immediately. If it still is vulnerable, avoid logging in and don’t change your password until the technical support people fix it. (Don’t repeat passwords between sites. If one is stolen you don’t want everything to be vulnerable)
      5. Don’t click on anything that pops up on your browser that you didn’t start. If you didn’t go to a site to request information or download software, don’t be tempted by the window that pops up in front of you. Close it.
      6. Keep all of your software up to date. Security flaws get patched but you have to be proactive and be sure your computer or smartphone has the latest updates.

Comments are closed.