A major new software vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of websites.
Heartbleed is a recently discovered software flaw that could leave millions of servers on the internet open to an attack which allows sensitive data, such as user passwords, to be stolen.
Deloitte security, privacy and resilience head Anu Nayer said the problem – which has been around for over two years but was only recently discovered – should not be ignored.
“This is a major issue and it appears a significant portion of the Internet has been affected. Because this exploit leaves no trace in almost any system it is very difficult to determine the extent to which anyone has been compromised through this,” he said.
The heart of the problem lies in open-source software called OpenSSL that is widely used to encrypt Web communications.
Nayer explained a flaw in the programming on some versions (OpenSSL 1.0.1-1.0.1f) means attackers can view small portions of what is being stored in the server’s memory, which includes data such as usernames, passwords, credit card numbers and any other sensitive information.
Grayson Milbourne, director of security intelligence at Webroot, clarified it is software vulnerability, not an infection.
“A vulnerability is a flaw in the code of an application which allows it to be exploited. In the case of the OpenSSL Heartbleed vulnerability, researchers found a flaw in how the data was being encrypted and transmitted,” he said.
Nayer said it is vital that the company’s technical team knows all the websites and web services the organisation has so they can check all the necessary sites.
Ask your brokerage or franchise’s IT department the following questions to make sure you and your clients are safe:
- How have you determined whether each of our websites and web services has OpenSSL service enabled?
- What type of sensitive information do we have that is accessible from the internet? What type of information would have been at risk?
- Have we looked at our logs to determine if there have been any successful or unsuccessful attempts to exploit this issue? What did we find? Are we monitoring our network to look for indications of attacks?
- What steps have we taken to mitigate the issue?
- How have you confirmed that the fixes have been applied successfully?
- Have you got assurances from our vendors, external hosting providers and application cloud services that they have fixed any vulnerable systems?
Nayer said if the company’s website is internally hosted the organisation can run the command ‘openssl version’ on the server to find which if an affected version is being used. However, if it is hosted externally it is necessary to contact the hosting provider for more information.
“If your system uses a vulnerable version of OpenSSL (1.0.1-1.0.1f) you should immediately upgrade to OpenSSL 1.0.1g. If you are unable to immediately upgrade you can recompile the version of OpenSSL you have with ‘-DOPENSSL_NO_HEARTBEATS’ set,” he advised.
It would also pay to consider if it is appropriate to revoke any Certificates which were used while the organisation ran exposed versions of OpenSSL.
“Even after a fix is applied, the private cryptographic keys your systems are relying on to protect their communications could already have been compromised and this fix won’t address that compromise,” he said.
Increased monitoring for unexpected activity in your systems, and training client-facing staff on how to respond to inquiries on the topic are recommended, Nayer said.
Additionally, Milbourne recommended changing passwords, although this is not a fool-proof solution as it will only help if the website in question has put in place required security patches.
“To be on the safe side, I recommend changing passwords at least every three months and to make sure your personal email password is different from every other password,” he said.
