For the past year, we've been hearing and reading reports of government snooping on digital communications and received assurances that the trusty old SSL encryption protocol that serves to secure everything from bank transactions to password entry can be trusted to put up a good deal of resistance against would-be attackers.
Well, all that bravado may turn out to be in vain, as researchers at Google Security and Codenomicon in Finland have discovered a security flaw so basic, that it requires no particular preparation to exploit and targets may be as prevalent as half (or up to 2/3) of all Web servers.
But what does 'exploit' mean? Simply that a programming mistake that fails to limit the amount of data a program is expecting can cause the server to spew out all its secrets. Everything from encryption passwords to your secure connections to usernames, passwords and the sensitive data you exchange with banking, medical, ecommerce, social media, email, instant messaging and other servers can be affected.
Want to know if your favorite site is affected? Simply go to the Heartbleed Test site and type it in.
This is a big one, and what's worse, it's been around since 2011. Worse yet, it's undetectable. It leaves no trace in server logs and if anyone has ever stolen the data from your Internet service provider, bank, or any of the sites you 'securely' log into, it will be next to impossible to ever track back.
Oh and it gets just a little worse than that: with the stolen encryption keys, attackers can not only view all your transactional data and live streaming content, but also inspect all the traffic that has been captured since the vulnerable version of OpenSSL was installed, potentially as far back as December 2011 or March 2012. That is, unless your particular server has something called Perfect Forward Secrecy, which limits the exposure of any data to the current session and not any from the past, but most organizations haven't yet gotten around to adopting this level of protection.
So what's to do? If you're a company and or know one you're concerned about, I've set up an email hotline to help advise and independently verify their remediation efforts. Simply email Verify@Heartbleed.ca and a member of my security team (or I) will respond.
If you're a partner, employee, user or individual stakeholder with personal or sensitive information at risk, ask them to get in touch and ask for my 7-step Heartbleed Remediation Checklist. They'll be glad they did. Unfortunately individual users can't do much more than reset their passwords and hope their favorite site doesn't show up on the list of vulnerable servers. Even in those cases, prospects so far are bleak, with an estimated 56 million installed Apache Servers, most of which are running OpenSSL, companies have a lot of work ahead of them. Sorry, no good news today!
In the early 1920s, the Enigma machine was a portable encryption machine with rotor scramblers used for encoding and decoding confidential messages....
There's a new security vulnerability in town. It's not even that new, we just didn't know about it until now. But it's a whopper and it threatens to i...
Security is about risk. And risk is about numbers. Given the high probability of suffering data security and privacy breaches, is it any wonder compan...
Ever wonder what the use of stealing millions of email addresses is? All those often downplayed, 'low sensitivity' data breaches have massive potent...
I'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of im...
This past Christmas season hasn't been kind to the Target chain of retail stores nor to its brand. A brazen attack took place in December that affecte...