What is Heartbleed and what's the damage?

by Eli
on 15 April 2014
Hits: 5519

Heartbleed is the unofficial, yet public name for a software vulnerability in a popular encryption library.

Whilst OpenSSL is supposed to protect sensitive data, it has, inadvertently, been harbouring a dangerous vulnerability that allows a malicious attacker to quite easily steal sensitive data. The level of data that could be obtained, would be straight from a server's memory - meaning passwords, communications, secret keys and... well you get the idea. The vulnerability was made public on April 7, and a fix has since been made available. All web hosts and companies are responsible for ensuring their servers are either patched with a fix, or have the latest version of Open SSL available. All customers of Webmaster Studios are safe from the exploit. But it should be stressed that a large chunk of the internet uses OpenSSL technology for encryption.

The damage caused won't be known for a while. Therein lies the problem. The server leaves no trace of such attacks and any victim wouldn't know they have been hacked until things really start to go wrong. How much has already been hacked is a mystery. The frightening aspect of the story is that this vulnerability has been present for the last 2 years. Except... the public didn't know about it. If criminal minds did know of this - then who knows what's been stolen and what hasn't. The extent of the damage won't be realised probably for a while.

What everyone can do now however, is ensure, that their servers/websites are patched and up to date. Ensure you have given yourselves new passwords across the board. It is standard IT practice to ensure passwords are regularly updated - for this very reason. Because security patches are always released, and there is always that threat. It becomes daunting memorising so many passwords, and perhaps a good strategy is to add a prefix or suffix to existing passwords - thereby, aiding memory.

Webmaster Studios is currently assisting various companies in performing security checks and ensuring sites and servers are protected.