OpenSSL CVE-2014-0160 (the Heartbleed bug)
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”
The scary part is that people with bad intent can exploit this vulnerability without getting detected!
Many websites we connect to daily (for example, Google, Yahoo and others) that are using or have used the vulnerable versions of OpenSSL and thus, are not immune. It was reported that OpenSSL is used by about 9% of the world’s top websites and as many as two thirds of webservers rely on it to encrypt data.
Google has implemented measures to address the OpenSSL CVE-2014-0160 (the Heartbleed bug). You can read more about this here.
Do you know that if you access your cPanel, with your hosting provider using OpenSSL software, your username and password may have already been compromised?
What you should do now?
- If you are a website owner, check your website vulnerability here or check the SSL certificate here.
- If you are using shared hosting, contact your hosting provider immediately to get an update on whether they have already applied the security patches to close the loophole.
- If you are running your own server, ask your IT team to immediately do a patch on the server. Seek assistance from your IT equipment vendor or any other knowledgeable sources.
- After patching your server, get a new public / private key pair.
- Request for a change of the SSL certificates from the issuer. Reissuance is generally free but takes some time to request and set up.
- Change your passwords. The next time when you log into a website, remember to change your password and make your new password a strong one. You can make use of Password Managers like LastPass, 1Password, KeePass, Roboform, Dashlane, Clipperz, Sticky Password, etc. to assist in creating strong password and remembering your login credentials. For me, I have been using LastPass.
The Heartbleed bug is a very serious problem and affects consumers on the web, though the effect is not easily known as the vulnerability has existed for more than 2 years and exploitation is on stealth mode (i.e. no one knows for sure if anyone already knows this vulnerability before the revelation this week and if someone already knows, has this loophole been exploited and by how many). Luckily, a fix is already available and businesses have been busy implementing the fix. Going forward, for us, as consumers, we must make sure we change our password when we log into a website again. For business owners, inform your website visitors that you have already applied the security patch to provide them with the assurance needed.
Never take online security for granted!