You may have noticed a bit of flurry in the media over the past couple of days about the Heartbleed bug. What is the Heartbleed bug you ask? That’s a great question very few people knew the answer to until recently.
The Heartbleed Bug Explained
OpenSSL is software used by a significant number of websites to encrypt their data and communications. Such data may include passwords, usernames, credit card details and just about any other form of sensitive information. The Heartbleed bug has managed to compromise OpenSSL by allowing harmful sources to access this encrypted data and extract 64 kilobytes of information from the memory of a server at any one time – over and over again. Attackers are able to eavesdrop of communications, thieve data directly from servers and impersonate servers and users.
Possibly the biggest concern about this bug is that you are not even aware your server has been hacked. Even if the flaw in the Open SSL is ‘patched up’, this will only prevent future attacks from occurring and cannot rectify the damage done by data that has already been extracted from your server, leaving many vulnerable. Given the age of the software, it is possible that data could have been exposed for up to two years before anyone realising.
What Does This Mean for Internet Security?
It is difficult to ascertain the extent of the damage given the amount of time the bug has gone undetected. According to some testing carried out by Hacklabs, of the 200 ASX listed sites that could potentially be exposed to the Heartbleed bug, 10% of the sites were found to be vulnerable at the time of writing. It is recommended administrators apply the up-to-date version of OpenSSL to adopt the fix and prevent further attacks because as long as you continue to use the versions which have been affected, your data is insecure.
For further information on how you can protect yourself against the Heartbleed bug, please refer to CNET who have listed some recommendations from security experts on how to ensure your information is secure.