How will the Heartbleed OpenSSL vulnerability influence Web security?

In this FAQ, learn how the Heartbleed vulnerability was discovered, the potential damage inflicted by the bug and advice to avoid security risks.

Heartbleed elicited major Internet security alarms when researchers disclosed attackers could exploit the Open SSL cryptography flaw to access encrypted content, usernames and passwords. OpenSSL is used by approximately 66% of all active websites, leading many experts to call Heartbleed one of the worst security bugs in the history of the Internet.

Almost immediately after the flaw was discovered, a security patch was released and companies scrambled to ensure their data was not compromised. Weeks after the Heartbleed OpenSSL vulnerability was identified, however, it remains difficult to know how much damage was inflicted.

This FAQ is part of SearchCompliance's IT Compliance FAQ series.

What is Heartbleed and how was it discovered?

Heartbleed is a programming defect in several OpenSSL versions released between March 2012 and April 2014. The bug was named "Heartbleed" because it is a flaw in OpenSSL's implementation of the Heartbeat Extension for the transport security layer and Datagram Transport Layer Security protocols. 

Heartbleed can be used to expose data meant to be protected through SSL/TLS encryption. Remote hackers could exploit the flaw to access private application memory and expose encryption keys, usernames, passwords and other data on Internet-connected servers or client devices. Only small amounts of data are exposed at a time, so when the flaw is exploited it doesn't leave a sign in on application logs.

Google security researchers and members of the Finnish security firm Codenomicon reportedly discovered the flaw separately. Codenomicon reports discovering Heartbleed April 2 and immediately notified the National Cyber Security Centre Finland. Google disclosed the flaw in a security advisory April 7. A corrected version of OpenSSL was also released April 7.

A Google-developed Heartbleed patch file included a March 21 timestamp, but other vendors said they knew about the flaw well before it was publicized. In an April 11 blog post, content delivery company CloudFlare Inc. said it had received a warning about Heartbleed and patched its systems 12 days earlier. In an April 8 blog post, Akamai Technologies Inc. said it had been given advance notice of the flaw by someone in the OpenSSL community.

Related content
NCSC-Finland issues OpenSSL vulnerability advisory
The White House blog: Agencies coordinate to mitigate Heartbleed fallout

Who has been affected by Heartbleed?

OpenSSL is the most popular open source cryptographic repository for Internet data encryption. It is used by an estimated two-thirds of websites, including Facebook, Google and Yahoo. By April 9, Google, Facebook and Yahoo had deployed the Heartbleed security patch.

Many operating system vendors, appliance vendors and other software vendors were affected by Heartbleed. They included Amazon Web Services, Cisco, Juniper Networks, F5 Networks, Aruba Networks, F-Secure, Fortinet Red Hat, VMware, Dell, Extreme Networks, McAfee and Oracle. Financial websites were deemed particularly vulnerable to Heartbleed, and regulators advised firms to take precautions.

"Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch," the Federal Financial Institutions Examination Council warned on April 10. "Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action."

Related content
FFIEC expects members to implement Heartbleed security patches
Heartbleed vulnerability may pose Android risks

What data was compromised by the Heartbleed OpenSSL vulnerability?

There's no way to know for certain what data was exposed by Heartbleed exploits, but many companies announced that their data was not compromised. In the weeks following the Heartbleed disclosure, there were just two reports of stolen information.

On April 8, the Canada Revenue Agency (CRA) blocked public access to its website after learning that its systems were vulnerable to Heartbleed, according to an April 14 statement by CRA Commissioner Andrew Treusch. Taxpayer data had been breached over a six-hour period, and the social insurance numbers of approximately 900 taxpayers were stolen by a hacker using Heartbleed. A Canadian computer science student was later arrested on suspicion of using Heartbleed to steal the data from the CRA.

The president of Canada's Treasury Board said April 10 that as a cautionary measure, the country's CIO directed all federal departments to disable public websites that were not yet patched.

The parenting website Mumsnet.com notified readers on April 11 that data such as email addresses, user names and passwords from users' accounts had been accessed. The site advised users to change their passwords.

Related content
Canada Revenue Agency Commissioner issues Heartbleed statement
Mumset instructs users on how to address security breach

When did the U.S. government become aware of Heartbleed?

An April 11 White House.gov blog post suggested that the Department of Homeland Security was made aware of Heartbleed when the vulnerability was reported days earlier. At that time, the "U.S. Computer Emergency Readiness Team immediately issued an alert to share actionable information with the public and suggested mitigation steps," the post reads. "Subsequently, our Industrial Control System-Cyber Emergency Response Team (ICS-CERT) published information and reached out to vendors and asset owners to determine the potential vulnerabilities to computer systems that control essential systems -- like critical infrastructure, user-facing, and financial systems."

More searchCompliance FAQs

SEC rule development, enforcement continues to evolve

Consumer protection measures under the microscope after Target breach

Investment Company Act reduces liability for misled compliance officers

Updated compliance requirements released under PCI DSS 3.0

Bloomberg News reported April 12, however, that two anonymous inside sources said the National Security Agency knew about the software defect not long after it was introduced but kept it secret to gather information.

In response to the report, Rep. Jim Sensenbrenner (R-Wis.) issued a statement chastising the NSA: "Once again, the NSA proved blind to the interests of every day Americans in its single-minded pursuit of information," he said. "This calls into serious question what the intelligence community does behind its dark cloud of secrecy and is yet another example of how our privacy and data security have been cast aside in the name of national security."

The NSA denied the Bloomberg report.

Related content
U.S. Computer Emergency Readiness Team issues Heartbleed alert
National Cybersecurity and Communications Integration Center: Beware OpenSSL vulnerability

How should systems and data be protected against Heartbleed exploits?

OpenSSL.org recommended that companies upgrade to OpenSSL 1.0.1g, a corrected version of the software. The Electronic Frontier Foundation posted a "Heartbleed Recovery for System Administrators" on April 10, recommending that they update and test servers, deploy "Perfect Forward Secrecy," regenerate existing SSL certificates using new keys and change passwords.

Everyone who uses the Internet was encouraged to change their passwords for the websites they access. In the week's following the bug's disclosure, Internet users were also advised to keep a close eye on financial, social media and email accounts and monitor them for suspicious activity.

Related content
ICS-CERT releases situational awareness alert for OpenSSL vulnerability
EFF offers "Heartbleed" recovery tips for system administrators

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

This was first published in April 2014

Dig deeper on Vulnerability assessment for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Caron Carlson asks:

What steps have you or your business taken to address potential vulnerabilities from the Heartbleed bug?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close