It has recently emerged that a major security flaw at the heart of the internet could be exposing internet users’ personal information and passwords to hackers. It is not clear how much damage the bug may have caused, but it is one of the largest security issues facing the internet so far.
The bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user’s computer and a web server.
This issue got the name Heartbleed as it affects an extension to a Secure Sockets Layer called the Heartbeat. This is one of the more extensively used encryption tools online and believed to be used by about two-thirds of all websites, amounting to about half a million sites. If a website has a padlock symbol in the browser then it is likely that it is utilising SSL.
The bug is believed to be that serious a website has been established for it: Heartbleed.com. This website outlines all aspects of the problem for anyone who may have concerns over there personal and private information.
The issue was uncovered by Google Security and Codenomicon who said it was created by a programming error. OpenSSL is open source, therefore, researchers were able to investigate the code in great detail which highlighted the issues. This is a very difficult task to carry out as code can be very complex and it can be time-consuming to locate such problems.
Virtue Technologies do not consider our customer UTMs to be at risk at this time as the relevant attack surface of the UTMs is not directly available from the internet on the standard SSL port. The exploit predominantly targets web servers rather than end-user environments.
However, Sophos released an update which included a fix for this vulnerability and as a precaution we have deployed this to all our UTM customers.
In the following video Elastica’s CTO Dr Zulfikar Ramzan walks through the mechanics of the Heartbeat (Heartbleed) flaw (at a high level), how an attacker can exploit it, and its underlying ramifications;