What is Heartbleed(CVE-2014-0160 ) issue?
Heartbleed is a serious vulnerability through which attacker can easily steal the sensitive data like login credential, card number and other encrypted information used in online banking and e-commerce site. It was found In early April, and available in the software library OpenSSL which is considered as most secure and used by many web application for secure transaction.
How this bug works?
Heartbleed virus was basically tricking the computer with fake information. The computer then responded to hackers by giving them the stored memory. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to spy on communications, take information straightforwardly from the services and users and to imitate services and users.
Things to worry about?
Many cyber experts consider that Heartbleed is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet. Why it so?
- Open SSL(secure socket layer) basically provides communication security and privacy through encryption functionality over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). As this bug available to this layer so It has been undermine around half a million secure websites, email, instant messaging and likely a variety of other programs and applications
- Discovered in early April, Heartbleed lets attackers steal data from computers whereas recent report showed that it can also access to forum and chat-rooms which is very hard to penetrate.
- The big problem is that it is undetectable and you don’t know it is happening. If your Gmail was hacked and they tell you to change your password and you do, the hacking still doesn’t go away.
- Heartbleed.com had attacked their own server from attackers perspective and they found that the bug can able to steal sensitive data without using any privileged information or credentials, which make situation more severe.
Typically, OpenSSL implementations are present on servers running Apache and nginx. Unfortunately, Apache remains the dominant web server today with more than half of the internet’s active sites running on it and nginx has about another 14%. The Heartbleed bug was introduced in December 2011. The bug affects OpenSSL version 1.0.1 which was released in March 2012 through to 1.0.1f which hit on Jan 6 of this year.
What to not worry about?
Heartbleed has no effect on
- DOD classified networks, and minimal effect on DOD unclassified sites.
- Common access cards and the PIN numbers associated with them
- The products which do not include OpenSSL in their server
- Applications which use OpenSSL 1.0.1g, OpenSSL 1.0.0 branch, OpenSSL 0.9.8 branch and OpenSSL 0.9.7 branch.
How we stopped it?
To address this vulnerability, we followed the steps mentioned below.
Step#1 : We checked the version of openSSL in server.
# yum info openssl.
Step#2 : Then, we updated the version of it to the version which is not affected by Heartbleed.
# yum update -y openssl
Step#3: After updating OpenSSL, reboot the services using the library or server itself.
To combat with such type of bugs or vulnerabilities, you require an expert and accomplished QA engineers. You can also offshore QA Services which provides you savvy and smart solution to your goal. Andolasoft also launched free security testing where you can check your web app health report at no cost.
Like this blog? I’d love to hear about your thoughts on this. Thanks for sharing your comments.
