Unless you were hiding under a rock, you are probably aware that a major security flaw was discovered about a month ago, but had been existent for over 2 years. The implications are that during that time, many skilled malicious people from all over the world, could have been using secure keys to bypass secure servers without leaving a trace that a site had been hacked!

Why should you care? Well, about 66% of “secure” web sites [including Facebook and the FBI] have relied on OpenSSL and may be vulnerable. That does not mean that they may have been hacked, just that a potential hole existed.

The Heartbleed bug, as its now known, affects any sites and services running specific versions of OpenSSL (1.0.1 through 1.0.1f). Many sites may run older versions of OpenSSL that are not vulnerable, and many have likely already updated to a version with the new bug fix. Other services like TLS, ssh or VPN were not afffected, and not all sites and services use OpenSSL (except OpenVPN.)

OpenSSL is an open source library that implements the SSL protocol. An SSL Certificate is, essentially, the digital lock used by SSL to secure internet communications. It contains, amongst other things, the identity of the certificate’s owner and some indication of who verified the certificate’s creation (the Certificate Authority or CA) and a digital code encrypted by the certificate issuer. The Heartbleed vulnerability affected websites or systems that used the OpenSSL library not the certificates themselves. The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves!

In the wake of Heartbleed, many organizations are asking us whatcan they do to protect their employees and their clients from any damage the bug may have caused. The answer, as usual, is not that simple. It’s up to our Service Providers or IT admins to update the servers. As a precaution, check more thoroughly your financial statements of the past few months and look for potential discrepancies. Many web sites recommend to update your passwords, but make sure you do after your provider has confirmed that the fix is in. Otherwise, the hackers could be spying on password changes and obtain your new password while the service is still vulnerable…

Two questions remain: 1) was there any monetary exploit discovered? If criminals found the flaw before a fix was published, they could have stolen troves of passwords for bank accounts, e-commerce sites and e-mail accounts worldwide. Evidence of that is so far lacking, and it’s possible that cybercriminals missed the potential in the same way security professionals did,

2) Is Open Source vulnerable? Software is just software and is not bullet-proof. Target retail stores Point of Sale System (POS) were NOT running Open Source, more like embedded XP, and it took them weeks to detect and remmediate it as a way of comparison. Open Source usually means a bit more secure because more eyes or automated tools can read the code.

So this one eluded most security experts for months, including the NSA. If NSA knew about it, they would have disclosed it as is common practice in the security community. NSA wants exclusive use of keys and other techniques. As OpenSSL had flaws anyone could exploit, NSA had no exclusivity. And don’t forget they gave the world the Security Enhanced Linux kernel module to keep Open Source running safe in the US government and the world.

This bug has received so much press that it was patched immediately by many affected websites and services after it was discovered. To wrap up, check your statements, check your emails, wait for your provider to update keys and then update your password.