Heartbleed Bug Finally Exposed

Where you live, what you do and with who you are hanging out with will strongly influence what you know. Two years ago, when I was a website content writer perhaps I would have been the first one to know about Heartbleed. This morning, when my boss just arrived in the office, he asked me to call the IT guy, and he was seriously talking about hacking stuff. Wow, my boss is talking about hacking stuff? And I just like, where have I been?

It is true that recently what I’m doing is just preparing bunch of reports with no time to do some surfs in the internet. Well, I also have some writing projects to finish but never mind, this morning I just want to talk about Heartbleed.

So, what is Heartbleed?

Heartbleed is a serious security bug or vulnerability in the popular open-source openSSL cryptographic software library. As we know, SSL/TSL is a cryptographic service that provides security and privacy we need in communication over the Internet; it is widely used in email, web, IM and some VPNs. And Heartbleed enables the third party to steal information/data (including username and password) even eavesdrop the conversation; and the worst the third party could impersonate both service provider and user.



What makes Heartbleed different from the other bugs exploited previously?

Some bugs in software are easily fixed by upgrading the software to the latest version. However, Heartbleed is not just a bug that you could fix by upgrading the software because some memories (data, information, secrets) are already stolen and probably being exposed over the internet. Besides, so far all the attacks left nothing (no trace at all) but taken data. That’s why some further actions are required to recover the after-effect.

How to recover the after-effect of Heartbleed?

Well, there are some ways which classified into 4 categories based on how the data leaked.
  • Primary Key MaterialIn simple word, what is leaked is the primary encryption key itself. Once the key has been leaked is possible for the attacker to decrypt the encrypted data or protected service and then impersonate the service provider/owner.How to recover it is the service owner should patch the bug/vulnerability, all the leaked keys should be revoked and then issue the new key. To be safe, since the Fixed openSSL has been released, it is important for the provider to install it and also notify their users to do the same thing.
  • Secondary Key MaterialIn this matter, the after-effect is affecting the users or the one with credentials used in vulnerable service. The simple examples are username and password. The provider or service owner should do the first step as mentioned above but then the users should change their username and password, and reset their recent cookies are also required.
  • Protected ContentThe meaning of protected content is all things like document, data, email, personal information that are worth protected by encryption. For example is you have trusted a certain insurance website where all kind of your data from your home address up to your bank account is available there so both you and your insurance provider could access it easily. If somehow the contents are leaked, the web provider should notify their customers regarding the data loss and that’s why is important to restore the primary and secondary key materials first.
  • CollateralWell, this one is a bit technical which is directly related to memory content which may contain technical details. The technical details will lose its value once the openSSL upgraded to the fixed version.

How to check a website is vulnerable or not?

Moreover, there is one way you could do whether a website is vulnerable and required patch or not. Some websites are not vulnerable because it is not using openSSL where Heartbleed based on. However, though there are some websites that once vulnerable but now the vulnerability has been patched, still password change is recommended. For the list of some popular websites, please visit c|net to find out the latest status of Heartbleed bug. Or you could directly visit SSLLabs to check the Heartbleed status by using domain name.

Main source: Heartbleed.com and big thanks to CODENOMICON 

e

1 comments:

livecustomwriting.com said...
November 3, 2016 at 6:29 PM

Heartbleed is a very good bug to make your site less vulnerable.

Post a Comment

Eka Arifin
A Professional Ghostwriter | Freelance Blogger | Personal Assistant in a Plantation Company | Struggling to be a Novelist | The #1 Fans of Arctic Monkeys | Who Calls Herself an Amateur Musician Who Cannot Live Without Books | Currently Living in the Deep of Borneo and Married a Nice Guy ^^

Follow My Twitter @ekarifin
Follow My Instagram ekarifin