On April 8, 2014, several news agencies, including the New York Times and CNN, reported the discovery of a vulnerability in a core security protocol used by an estimated two-thirds of the world’s servers. The vulnerability lies within the OpenSSL encryption technology used for conducting a multitude of internet communications including online transactions previously thought to be secure. Would-be hackers can exploit this flaw to obtain financial information, usernames, passwords, security keys and almost any other data without leaving a trace. Companies and individuals are urged to take steps to both secure their online accounts and assess their exposure to malicious activity. Companies and organizations that use cloud technology or other online services should understand what protections their service providers have put in place and investigate whether additional action is warranted.
The vulnerability, known by the moniker Heartbleed or the Heartbleed bug, was disclosed last week by a Google employee and an independent Finnish company named Codenomicon. According to the researchers, the vulnerability affects the Secure-Socket Layer (SSL) and Transport Layer Security (TLS) protocols, which are part of the OpenSSL 1.0.1 cryptographic technology. OpenSSL is widely used to secure thousands of websites, as well as provide security for mobile devices, virtual private networks and hardware.
While online service providers and tech companies scramble to deliver and apply patches, many systems are still at risk and have been for an estimated two years previously – since March 2012. Google, Amazon, Instagram and many other notable online businesses and app developers have already reportedly taken steps to secure their sites. Since the use of OpenSSL is so widespread, many smaller online companies, who may not have the resources of online giants, are still at risk. Patches need to be applied, compromised certificates need to be replaced, and passwords should be reset. This undertaking and auditing process will be difficult and burdensome. The patching process is likely to be further complicated where hardware is not connected to a network, such as industrial control equipment, which may require a physical connection to the affected equipment to apply the patch.
Once the immediate threat has passed, this event may also provide an opportunity to review security incident response plans as well as vendor relationships for the appropriate contractual protections.