one that’s extremely easy to exploit, and the potential harm, disclosing sensitive data that was expected to have been being transmitted securely makes it a great threat.
While there is no evidence that the HeartBleed vulnerability that was disclosed only 3 days ago has been exploited yet, but it has been there exposing user login credentials, credit card numbers, email content etc. and maybe worst of all the servers own private keys for around 2 years.
There are 2 issues really, one is that us end users that have potentially exposed everything we have entered online anywhere, I had an email this morning from DYN, a company that I expect to be both level headed and informed telling users to at least change all their passwords on sites that have not disclosed they were safe. The other issue of course is that the servers may have been breached.
But a reminder here, there is no evidence that this gapping whole in security which has been sitting wide open for 2 years has been exploited, hopefully blackhat hackers totally missed it.
Here are a list of some of the companies that have at one time or another had this vulnerability exposed from digitaltrends (but all now clear).
- Tumblr
- Yahoo
- Gmail
- Yahoo Mail
- GoDaddy
- Intuit Turbo Tax
- Dropbox
- Minecraft
- OkCupid
There are still many sites that still have the harmful version of openSSL some like the Canadian Revenue Service have simply “shutup shop” until they resolve the issue, others, mostly the smaller businesses are not even aware that this current news means them. Their hosting companies are either fixing in the background if they have their websites on shared hosting, and warning those that are responsible for their own servers that they need to run an update.
My own feelings on this are, of course that “Kerckhoffs’s principle” has in this case been proved wrong, and the very week I changed my main desktop operating system from Microsoft to an open source product ironically this is a major server security flaw did not effect Microsoft servers. The reason I have said HeartBleed is worse than a hack or a virus is that hundreds of each could already be taking advantage of it or have been for the last 2 years, time will tell.
On a brighter note, a friend actually did find some evidence that HeartBleed was exploited, but they are no threat.
Having spent the last month setting up Sucuri CloudProxy firewalls and dealing with a client and friend who’s popular blog has been under a sustained DDoS attack (upto a million requests per hour), reading this only confirms what I am seeing on the ground.
2 thoughts on “HeartBleed, its not a Virus or Hack, it’s worse it’s a vulnerability”