The Heartbleed Vulnerability
In April 2014, OpenSSL, a software library utilized mainly for the purposes of secure communications, revealed a gaping vulnerability in its software. Nicknamed Heartbleed, the flaw allowed attackers to take advantage of the dialogue between a computer and the server, otherwise known as the heartbeat, by sending malicious heartbeat signals to trick the server into sending back a chunk of its memory. Thanks to this flaw in the cryptographic software library, attackers were able to gain easy access to names and passwords of users, to eavesdrop on previously encrypted communications, and to impersonate both websites and visitors.
As an internet-dependent population, web users are keenly aware of the importance of securing confidential information online. When operating effectively, OpenSSL ensures that the Internet’s protocols for handling security are met. However, in cases of exposure such as Heartbleed, up to 66% of the internet may find itself at risk. From instant messaging to apps to email services to printers, a majority of the web relies on OpenSSL to provide adequate security measures for users’ information.
Why should I be worried?
Nearly three years after the OpenSSL vulnerability was revealed, most of the internet has moved on. However, the same OpenSSL flaw that induced panic in 2014 is still present in nearly 200,000 servers and devices today, according to a report released by Shodan. The search engine also revealed that the United States is currently housing one in five of such vulnerable devices and that Amazon and Verizon maintain the highest number of flawed servers within the U.S.
When testing the limits of this security bug, attackers have been able to steal usernames and passwords as well as business documents and communications. Perhaps even more frightening is the idea that attacks through the Heartbleed vulnerability leave no trace whatsoever and that the design flaw allows for significant amounts of information to be accessed by third parties given enough time.
What can I do?
If your website or app is still running on the vulnerable version of OpenSSL, the first step is to adopt the fixed version and subsequently inform users of the potential breaches. Users themselves should ensure that the sites they visit regularly have updated their servers and should change passwords once these sites have adopted the updated OpenSSL software. Experts also recommend against using any of the previously vulnerable passwords moving forward, and point to password managers as a safety tool.
Though devastating, the OpenSSL flaw demonstrates the gravity of data center orchestration. Providing a range of managed data center solutions, Silverback Data Center Solutions can keep your servers running smoothly.