OpenSSL- Opening your door to data thieves

Heart Bleed, OpenSSL, Encryption, Flaw

Heart Bleed, OpenSSL, Encryption, FlawSo OpenSSL for two years was an open door to your data. Sure, there wasn’t just the obvious “here’s the data” sign for folks to see, but for those looking for exploits that no one else was (which is why it went on for two years) going after the data that is in the “live” or working memory of a server was a very uncommon place to look. Oddly, the security that OpenSSL was known for (because about half of the Internet servers in use are secured with OpenSSL) was providing that open door in 64Kb chunks.

Wait, Dave the IT Guy, 64kb and you’re wasting more than that typing about it? Well, since no one knew to look here for the open door (except some sneaky types) the process was repeatable and not discovered. So many MB and GB were able to be stolen from these servers over time without anyone even knowing an attack had taken place.

The nickname of this exploit is “Heartbleed” because it relies on what is called the heartbeat of a server. The heartbeat is a collection of systems information that lets you know what is going on (memory use, processor, hard drive, network) and these all have their own memory space address in your RAM (memory) of a server. Hence data is there for a short period of time, unencrypted.

Security firm Codenomicon wrote an article about this exploit that you can read here. OpenSSL themselves released this notice just yesterday. The worst thing about this particular bug, is that exploiting it leaves absolutely no trace of your presence. Nada, you were never there.  If you want to see something scary, here is a list of places still open to the vulnerability as of yesterday, although all are working quickly (at least we hope) to fix this flaw.

Skip to toolbar