On April 8, 2014 a team of engineers found a weakness for websites that use web encryption software called OpenSSL. The OpenSSL project was founded in 1998 to invent a free set of encryption tools for the code used on the Internet.
The Sydney Morning Herald published an interview with Robin Seggelmann, who added the flawed code to OpenSSL, the world’s most popular library for implementing HTTPS encryption in websites, email servers, and applications. The flaw can expose user passwords and potentially the private key used in a website’s cryptographic certificate
(whether private keys are at risk is still being determined).
The Herald went on to report that the flaw was unfortunately missed by the developer and reviewer of the software bug fixes. The bug exists in OpenSSL’s implementation of the heartbeat extension.
So why did they name it “heartbeat”? A heartbeat is “a check to see if the other party is still present or if they’ve dropped off,” security expert Troy Hunt wrote. “In the context of SSL, the initial negotiation between the client and the server has a communication overhead that the heartbeat helps avoid repeating by establishing if the peer is still ‘alive,'” he wrote.
To put it more simply the “Heartbleed bug” allows anyone on the Internet to read the memory of the OpenSSL software compromising the secret keys used for user names and passwords, instant messages, emails and business documents and communication.
Krebs on Security: Heartbleed Bug: What Can You Do?
There is fix for this called “Fixed OpenSSL” which has been released but now it has to be deployed to the software vendors and the like.
According to the Washington Post, efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time.
Not surprisingly the US National Security Agency knew about the bug for a least two years and regularly used it to gather critical intelligence, two people familiar with the matter said.
According to Bloomberg, the agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.
Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites. Apple, Amazon, Microsoft, and eBay are not affected, according to the website Mashable.
Wayne Wickham is manager of MSCAd at Advisen. He is responsible for the property & casualty, professional liability, and specialty risk content in MSCAd, focusing on developing the database of cyber events and cases in MSCAd. Wayne is Advisen’s expert in cyber risk management and has 35 years of experience in the insurance industry.
