Heartbleed elicited major Internet security alarms when researchers disclosed attackers could exploit the Open SSL cryptography flaw to access encrypted content, usernames and passwords. OpenSSL is used by approximately 66% of all active websites, leading many experts to call Heartbleed one of the worst security bugs in the history of the Internet.
Almost immediately after the flaw was discovered, a security patch was released and companies scrambled to ensure their data was not compromised. Weeks after the Heartbleed OpenSSL vulnerability was identified, however, it remains difficult to know how much damage was inflicted.
This FAQ is part of SearchCompliance's IT Compliance FAQ series.
What is Heartbleed and how was it discovered?
Heartbleed is a programming defect in several OpenSSL versions released between March 2012 and April 2014. The bug was named "Heartbleed" because it is a flaw in OpenSSL's implementation of the Heartbeat Extension for the transport security layer and Datagram Transport Layer Security protocols.
Heartbleed can be used to expose data meant to be protected through SSL/TLS encryption. Remote hackers could exploit the flaw to access private application memory and expose encryption keys, usernames, passwords and other data on Internet-connected servers or client devices. Only small amounts of data are exposed at a time, so when the flaw is exploited it doesn't leave a sign in on application logs.
Google security researchers and members of the Finnish security firm Codenomicon reportedly discovered the flaw separately. Codenomicon reports discovering Heartbleed April 2 and immediately notified the National Cyber Security Centre Finland. Google disclosed the flaw in a security advisory April 7. A corrected version of OpenSSL was also released April 7.
A Google-developed Heartbleed patch file included a March 21 timestamp, but other vendors said they knew about the flaw well before it was publicized. In an April 11 blog post, content delivery company CloudFlare Inc. said it had received a warning about Heartbleed and patched its systems 12 days earlier. In an April 8 blog post, Akamai Technologies Inc. said it had been given advance notice of the flaw by someone in the OpenSSL community.
Who has been affected by Heartbleed?
OpenSSL is the most popular open source cryptographic repository for Internet data encryption. It is used by an estimated two-thirds of websites, including Facebook, Google and Yahoo. By April 9, Google, Facebook and Yahoo had deployed the Heartbleed security patch.
Many operating system vendors, appliance vendors and other software vendors were affected by Heartbleed. They included Amazon Web Services, Cisco, Juniper Networks, F5 Networks, Aruba Networks, F-Secure, Fortinet Red Hat, VMware, Dell, Extreme Networks, McAfee and Oracle. Financial websites were deemed particularly vulnerable to Heartbleed, and regulators advised firms to take precautions.
"Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch," the Federal Financial Institutions Examination Council warned on April 10. "Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action."
What data was compromised by the Heartbleed OpenSSL vulnerability?
There's no way to know for certain what data was exposed by Heartbleed exploits, but many companies announced that their data was not compromised. In the weeks following the Heartbleed disclosure, there were just two reports of stolen information.
On April 8, the Canada Revenue Agency (CRA) blocked public access to its website after learning that its systems were vulnerable to Heartbleed, according to an April 14 statement by CRA Commissioner Andrew Treusch. Taxpayer data had been breached over a six-hour period, and the social insurance numbers of approximately 900 taxpayers were stolen by a hacker using Heartbleed. A Canadian computer science student was later arrested on suspicion of using Heartbleed to steal the data from the CRA.
The president of Canada's Treasury Board said April 10 that as a cautionary measure, the country's CIO directed all federal departments to disable public websites that were not yet patched.
The parenting website Mumsnet.com notified readers on April 11 that data such as email addresses, user names and passwords from users' accounts had been accessed. The site advised users to change their passwords.
When did the U.S. government become aware of Heartbleed?
An April 11 White House.gov blog post suggested that the Department of Homeland Security was made aware of Heartbleed when the vulnerability was reported days earlier. At that time, the "U.S. Computer Emergency Readiness Team immediately issued an alert to share actionable information with the public and suggested mitigation steps," the post reads. "Subsequently, our Industrial Control System-Cyber Emergency Response Team (ICS-CERT) published information and reached out to vendors and asset owners to determine the potential vulnerabilities to computer systems that control essential systems -- like critical infrastructure, user-facing, and financial systems."
More searchCompliance FAQs
SEC rule development, enforcement continues to evolve
Consumer protection measures under the microscope after Target breach
Investment Company Act reduces liability for misled compliance officers
Updated compliance requirements released under PCI DSS 3.0
Bloomberg News reported April 12, however, that two anonymous inside sources said the National Security Agency knew about the software defect not long after it was introduced but kept it secret to gather information.
In response to the report, Rep. Jim Sensenbrenner (R-Wis.) issued a statement chastising the NSA: "Once again, the NSA proved blind to the interests of every day Americans in its single-minded pursuit of information," he said. "This calls into serious question what the intelligence community does behind its dark cloud of secrecy and is yet another example of how our privacy and data security have been cast aside in the name of national security."
The NSA denied the Bloomberg report.
How should systems and data be protected against Heartbleed exploits?
OpenSSL.org recommended that companies upgrade to OpenSSL 1.0.1g, a corrected version of the software. The Electronic Frontier Foundation posted a "Heartbleed Recovery for System Administrators" on April 10, recommending that they update and test servers, deploy "Perfect Forward Secrecy," regenerate existing SSL certificates using new keys and change passwords.
Everyone who uses the Internet was encouraged to change their passwords for the websites they access. In the week's following the bug's disclosure, Internet users were also advised to keep a close eye on financial, social media and email accounts and monitor them for suspicious activity.