Mumbai, India, April 22, 2014: ESET, global provider of security solutions for businesses and consumers, warned that Heartbleed bug causing widespread alarm on affecting more than feared and could affect billions of users like websites, internet users, and smartphone users. Heartbleed Bug is used to extract private SSL Keys and it allow Malicious Individuals to extract Information invisibly during an Encryption process. It affects the open-source encryption software OpenSSL – which is used on millions of web servers which has been undiscovered for more than two years.
Two white-hat hackers were able to extract keys and were able to use Heartbleed to extract private keys in a competition set up by data security company CloudFlare. The source of the bug, which has been active for at least two years, was errors introduced by a PhD student writing for the open-source company OpenSSL.
Heartbleed bug has affected at least 500,000 sites and millions of users by the small programming error did by the student, who has spoken of his regret at the incident. Any smartphone not protected by “enterprise grade” security may be at risk due to apps.
The ability to steal private keys raised the scope of Heartlbeed considerably. Having access to these private keys means hackers can return even after the Heartbleed exploit has been removed through the window. Hackers can only cease to have access to these keys once the server’s security certificates are all updated. It means fixing the bug may not solve the problems Heartbleed has created. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect.
Collective Recommendations from ESET Researchers, White Hat Hackers:
- Upgrade your OpenSSL servers to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS
- Update your Server’s security certificates
- Embedded devices using OpenSSl should also upgrade to newer versions
- Always check servers logs to have a check on Heartbleed exploits
- Change passwords consequently of all the online services you use (Please note: This bug could steal passwords, credit card details and even encryption keys, without trace)
- Change your password and don’t use ‘password’ as your new password
- Note that, Vulnerabilities for consumers using “desktop” browsers are more on their visit of websites that may be running bogus server code
- Download smartphone applications from authorized websites as some of the apps were vulnerable to Heartbleed bug
- Last but most important thing is that, everyone should reissue and revoke your private keys