Heartbleed Bug, an OpenSSL vulnerability
The Heartbleed Bug is an OpenSSL vulnerability that would allow malicious hackers to steal information from websites that would normally be protected by the SSL/TLS encryption. The open source OpenSSL cryptography library is used to implement the Internet’s Transport Layer Security (TLS) protocol.
Named by the researchers who discovered the security flaw, the Heartbleed Bug theoretically lets anyone on the Internet access a secure Web server running certain versions of OpenSSL to obtain site encryption keys, user passwords and site content.
According to the official Heartbleed Bug website, OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable while OpenSSL version 1.0.1g patches the security flaw.
Heartbleed Flaw Creation and Bug Discovery
The Heartbleed bug was initially discovered by Google engineer Neel Mehta and the Finnish security firm Codenomicon. The security flaw was introduced in the open source OpenSSL encryption protocol by German software developer Robin Seggelmann. Since the flaw has become widely known, Seggelmann has said the bug was inadvertently missed by himself and another code reviewer and the bug was not inserted maliciously, despite online conspiracy theories concerning Heartbleed, such as NSA using the Heartbleed bug to spy.
The Heartbleed Bug in the News
Heartbleed Bug Rumors
RCMP asked Revenue Canada to delay news of SIN thefts
Heartbleed bug bites millions of Android phones
Heartbleed bug: What’s affected and what passwords you need to change
Tests confirm Heartbleed bug can expose server’s private key
Heartbleed Attacks
There are few documented cases of attacks exploiting the Heartbleed bug, but security experts warn that using the bug would leave no trace and all websites using the affected OpenSSL versions should be considered compromised.
While many large sites, including Google, Facebook and others were quick to note services were “safe” from Heartbleed, the public announcement on April 8, 2014 seems to have prompted attacks. The Canada Revenue Agency (CRA) shut down it public online services to patch for the flaw but before the fix was implemented the CRA said 900 social insurance numbers were stolen from CRA computers by persons exploiting the Heartbleed bug.
In another reported attack, UK-based parenting website, Mumsnet, also claims to have experienced a breach where the infiltrator claimed to have used Heartbleed to access an account. The site provided some details to its users along with instructions on how to reset site passwords.
Heartbleed: Beyond the Internet
The Heartbleed bug extends beyond the Internet. For example, mobile devices running the 4.1.1 Android operating system (released in 2012) have the Heartbleed software bug. All other versions are immune to the flaw, but this leaves millions of smartphones and tablets vulnerable. In addition, operating systems, including Debian Wheezy (stable), Ubuntu 12.04.4 LTS, CentOS 6.5, OpenBSD 5.3 and OpenSUSE 12.2 are versions that have shipped with a vulnerable OpenSSL version (see full list).
Read Also:
- Microsoft OneDrive for Business (Cloud Storage)
OneDrive for Business is a Microsoft cloud storage service for business. It is a personal library intended for storing and organizing your work documents. Recent changes to Microsoft’s service plan indicates that the company is preparing OneDrive for Business to serve as a feature-packed, social collaboration platform. In addition to business-grade file storage, sync and […]
- Big Data Analytics
Big data analytics refers to the process of collecting, organizing and analyzing large sets of data (called big data) to discover patterns and other useful information. Big data analytics can help organizations to better understand the information contained within the data and will also help identify the data that is most important to the business […]
- Geo-fencing
Geo-fencing, or geofencing, is a term that refers to software tools or applications that utilize global positioning systems (GPS) or radio frequency identification (RFID) to establish a virtual perimeter or barrier around a physical geographical area. Geo-fence apps and tools monitor when mobile devices or other physical objects enter or exit an established geo-fenced area […]
- Red Hat Enterprise Virtualization (RHEV)
A desktop and server virtualization platform from Red Hat that is based on the KVM hypervisor as well as the company’s Red Hat Enterprise Linux (RHEL) server operating system. Red Hat Enterprise Virtualization, or RHEV, provides a RHEL-based centralized management server with a web-based interface for managing virtual machines (VMs) called the RHEV Manager. Red […]
- KVM (Kernel-based Virtualization)
Short for Kernel-based Virtualization Machine, KVM is an open source virtualization offering for Linux operating systems that enables Linux to function as a hypervisor for running multiple virtual machines (VMs). KVM has been directly integrated into the Linux kernel as of 2007’s 2.6.20 Linux kernel release. KVM is the basis for both IBM’s and Red […]