There may be a door ajar on your company’s website, as well as the websites of your suppliers, business partners and perhaps many of the other organizations your company deals with daily.
Word spread this week that a version of OpenSSL, the open-source browser-encryption standard used by perhaps two-thirds of Internet servers, has a significant flaw. It’s being called, rather ominously, Heartbleed, as the bug resides in OpenSSL’s so-called “heartbeat” extension that’s designed to let a secure connection stay open for long periods of time.
It’s the latest and potentially most horrific illustration that holes in system security may pose the greatest threat of all to corporate well-being. Advancements in thwarting attackers are ceaselessly overwhelmed by advancements in hacking capabilities and, as in this case, system bugs.
How bad is Heartbleed? Judge for yourself. Attackers can request, and get, a random, 64-kilobyte chunk of data from systems protected by the vulnerable version of OpenSSL. Does that not sound so bad? It is. An unlimited number of such requests can be made.
A version of the encryption standard called Fixed OpenSSL and a patch for the vulnerable version are available. Unfortunately, the vulnerability, though discovered in just the past few days, reportedly has been around for two years, so hacks may have already occurred.
According to CNN, security researchers on Tuesday morning were able to steal email log-ins from Yahoo!, though the Internet company said later it had fixed the problem across its major sites. Others that reportedly were affected at least temporarily included dating site OkCupid, image-sharing services Imgur and Flickr, social-networking site Reddit, event-registration site EventBrite, password service LastPass, the websites of magazines Slate and UsWeekly, and even the FBI.
Reformed black-hat hacker Mustafa Al-Bassam ran security tests and published a list of websites that he said were vulnerable as of mid-day Tuesday, though he noted that fixes could have been made after that.