Heartbleed? Is that a disease?

Travis Phillips -

What is Heartbleed and am I at risk?

Heartbleed has been described as many as a virus. IT IS NOT! Heartbleed is a security hole within the programming of OpenSSL. OpenSSL is a protocol that responsible for over %60 of the encryption that happens when a client (you) accesses a server (website). 

How does this happen?

That's the more difficult part to explain. When a client accesses a website, data is sent from the client to the server. It does this by storing data in memory. That memory gets replicated and sent to the server in which the website is hosted on. This data can be passwords, credit card numbers, names, addresses, just about any information that a user enters into the site. The server will then acknowledge that it has received this information by sending another copy of the same information back to the client. This is known as a "heartbeat". 

So where's the risk?

The risk lies in simple oversight of the programmers who wrote these security protocols. The client computer must send three different bits of information in order for the server to accept it. The location in the client's memory where the data is stored, the data itself, and the SIZE of the data that is being sent. The problem is that (until recently) the size of the data that is being transferred was never verified by the server receiving the information. 

Say for instance that the client is sending 32 kilobytes of information, but is sent as 64 kilobytes with the rest just being empty data. If the server didn't verify the size of the actual data being sent then it accepts the data as 64 kilobytes of data. The server will replicate the original 32 kilobytes of data and an additional 32 kilobytes of seemingly useless data from memory that the sum of which becomes the "heartbeat". This additional kilobytes of data can be another users password, credit card info, etc. This data is sent back to the client system. 

Why is this an issue?

Well, suppose a hacker is sending data in same way as described above to the vulnerable server. The server will do the same as it did before. Only this time a hacker is receiving the information. What makes this truly scary is that it can be done over and over again. Whoever is using this exploit can sift through all of the data that has been received from the vulnerable server. Thus giving the wrong person the most personal of information that is important to you.

So, what can I do?

The short answer is nothing. There has already been a patch released for the websites that are using the old, vulnerable version of OpenSSL, which addresses the issue of not verifying data sizes when being received by the server. If the websites have not upgraded they are still vulnerable and will continue to be so until they upgrade their software.  The following is a link to a website that can verify the version of OpenSSL that is installed and the host computer (server) and will tell you if it is vulnerable. 

https://lastpass.com/heartbleed/

The attachment posted is a compilation of websites that I have tested.

Please note that as websites update their software and close this security hole, the test results will change. 

It is recommended that users change ALL of their passwords as soon as a site with this vulnerability updates their software. Doing so beforehand will not be of any use as the new password can still be acquired by a hacker until the web site does update. 

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.