If you’ve been following the news of any kind recently, you may well have seen articles about Heartbleed. This is the vulnerability in the OpenSSL network protocol that theoretically allowed hackers to invisibly copy sensitive data from a web server. A sign of the times, Heartbleed even made front page news in the tabloid press in the UK, an extraordinary feat for such a technical subject. Soon after the threat was discovered, a new version of OpenSSL was made available so that servers could be updated and protected once again. But there are business continuity lessons to be learned.
This security weakness was in the very system, OpenSSL, supposed to provide the security required by confidential services, such as online payment. The name given to the bug, Heartbleed, is in connection with the Transport Layer Security (TLS) ‘heartbeat’, the periodic signal generated to indicate normal operation. Many organisations use OpenSSL and the TLS component, but have no way to ensure security other than to check each server individually. This includes external servers connected to the organisation as part of a cloud computing solution. It seems doubtful that even larger organisations could have detected the problem by themselves.
The heartbleed.com site from Codenomicon describes how test engineers launched an attack on their own equipment to map out the extent of the vulnerability. As they write, “Without using any privileged information… we were able steal… secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” There is little information so far about the number of organisations that have suffered loss or damage because of the bug. One of the few cases made public so far was the Canadian social security service, where 900 social security numbers were compromised.