This week a major vulnerability in web security was announced. The Heartbleed bug places many web passwords and other information at risk. Here’s what you need to know.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. The vulnerability means that cybercriminals have a way to steal information that would otherwise be protected by the SSL-TLS encryption that is used to secure much of the internet. SSL/TLS provides security and privacy over the internet for everything from websites, email, instant messaging and even some VPNs.
Cybercriminals can attack systems without a trace using this bug, eavesdropping on communications and stealing data, including passwords and credit card information. If they have your password, sensitive corporate data could be at risk.
“The problem came about due to a missing bounds check in the handling of the TLS heartbeat extension, which can then be used to view 64K of memory on a connected server (or client). Specifically, this can then be exploited to repeatedly sieve through the memory of the targeted server for sensitive data such as usernames and passwords, or even to recovery the private keys used by the server,” notes FierceCIO.
Many organizations are currently upgrading their OpenSSL software to patch this bug. There is no evidence yet that the bug has been exploited.
Absolute Software customers can rest easy.
After news of the Heartbleed vulnerability with OpenSSL, Absolute performed an exhaustive review that included all of our corporate and consumer products and programs touched by our customers. Our Global IT team performed a risk analysis for all IT systems.
None of our products, processes, or communities have been impacted by the Heartbleed vulnerability.
IT administrators that use OpenSSL should ensure that they are using the latest version. Assume that the server has been compromised and generate new encryption keys. As a precaution, users should be encouraged to create new passwords.