Two out of every three web servers have been potentially compromised by a flaw in the encryption software OpenSSL.
Since the news broke on April 7th, webmasters have been in a mass scramble to correct the issue, which potentially leaves personal data open to any inquisitive hackers.
Google and Facebook both use the affected software, showing the potentially massive scale of the security breach.
Neel Mehta of Google Security spotted the flaw, which is believed to have been running unhindered for two years, along with security firm Condenomicon, leaving businesses needing to update their software in order to protect user data.
What has been dubbed the Heartbleed Bug allowed hackers to pull data off of servers, meaning that credit and debit card numbers, passwords, usernames, and addresses have potentially been compromised.
All versions of OpenSSL in the 1.0.1 series up to 1.0.1f were afflicted with a memory handling error in the TLF Heartbeat Extension. The error could potentially allow for 64 kilobytes of the application’s memory to be stolen.
The Heartbleed Bug is believed to have been around since December 31st 2011, meaning many popular services have unwittingly been open to online attacks.
After two years, it’s clear the damage may already have been inflicted, although it is impossible to track what exactly has been stolen as the bug leaves no traces of unusual behavior in its wake. Anyone attempting to hack a site could read the memory of the SSL server and access sensitive date.
A support site (rapidly set up by Condenomicon) has quickly been set up in order to guide businesses and other users to an immediate solution at heartbleed.com.
As the site states, “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”
The solution for concerned businesses with customers to protect and active social media accounts to secure has already been provided.
As stated on the Heartbleed site, “As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
This fix has been provided by Adam Langley and Bodo Moeller. The advice for anyone running OpenSSL 1.0.1 series up to 1.0.1f is to replace certificates and keys and to change passwords in order to protect sensitive data. An immediate update to OpenSSl 1.0.1h is highly advisable.
While it’s unclear if the bug has been exploited by hackers in any way, the news is alarming all the same. Social media formats, such as LinkedIn and Twitter, have been the subject of hacks and security breaches in the past and the Hearbleed Bug is a reminder of the constant need to be wary with online security protocol.
Some of the most popular sites which supported the TLD heartbeat extension are: Twitter, Yahoo, Tumblr, Steam, DropBox, PostFinance, Regents Bank, Commonwealth Bank of Australia, and the search engine DuckDuckGo. Following the news, it’s now likely that most sites have updated their software.
As stated by Condenomicon’s Heartbleed Bug information site, the lesson to take from this latest scare is to use it as an opportunity to reinforce security procedures. As the site states, “Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.”
Image courtesy of Heartbleed.com