Heartbleed OpenSSL Bug

No, this is not a joke. Although Neel Mehta of Google’s security team discovered the bug on April 1^st, “Heartbleed” is no laughing matter.

It was revealed that there is a serious vulnerability in the popular OpenSSL cryptographic software library, allowing attackers to steal information normally protected by the SSL/TLS encryption used to secure the internet. This type of encryption normally provides security and privacy for internet applications such as email, web, instant messaging and some virtual private networks (VPN).

An attacker is thereby able to eavesdrop on communications or steal data directly from the services or users, as well as to impersonate services and users. They do this by reading the memory of the systems protected by vulnerable versions of the OpenSSL software. This compromises the secret keys, traffic, name, and password encryption.

Why “Heartbleed?” The bug itself is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RF6520). When an attacker is able to exploit this flaw, memory contents from the server to the client and client to the server are leaked.

In order to prevent this leak from happening, a new version of OpenSSL must be deployed. Operating system, appliance, and independent software vendors should immediately adopt the fix and notify their users. Services providers and users have to install the fix once it becomes available for the operating systems, software, and networked appliances they use.

Curotec has immediately taken the necessary steps to guard against this surprising and dangerous flaw. We are working diligently to completely understand this matter, a painful reminder of the constant watch needed against relentless hacking.

Should you have any questions or concerns about Heartbleed, please feel free to contact us immediately. When presented with a challenge such as this, it’s good to have Curotec in your corner.