The Heartbleed Bug

14th April 2014

Yesterday was an interesting and busy day for those on both sides of the information security fence.

A critical vulnerability was publicly disclosed in the widely used library OpenSSL, which forms the core of many SSL/HTTPS provisions. If you want to read more information from the original source, Heartbleed is the place to start. What is it? Without getting too technical, the flaw allows a malicious and unauthorised third party to access protected data in memory. The exact data access is random, but there have been corroborated reports finding clear-text passwords, private SSL keys and other sensitive data which would negatively impact the security of your systems, users and clients. How to determine if you're vulnerable? The vulnerability effects any service utilising OpenSSL version 1.0.1 through to OpenSSL version 1.0.1f. If you (or your in-house sysadmin) can confirm that your SSL implementation isn't running any of the effected versions, you're safe from this particular weakness. Unfortunately, OpenSSL is widely used and embedded into many other appliances and application stacks. Since the notification yesterday, a number of websites have been released to enable you to enter your system name/IP address and the site will check for you. However, what a third party may do with the information once determining your system is vulnerable is beyond your or our control. Clients which take regular security testing from Onyx Group will automatically have the checks run against their systems during the next scheduled assessments. If you would like to bring your assessment forward for this check, please contact your Account Manager or Security Support. If you're not already taking advantage of Onyx Group' vulnerability management services, fear not; we have a dedicate package just covering this issue to provide rapid peace of mind. Existing clients just contact your account manager; new clients, please contact or 0845 345 5758. What to do if your systems are vulnerable? Upgrade OpenSSL, a fix has already been developed and released. Depending on your operating system and configuration this may be as simple as issuing a single command, or more complex. If you would like additional assistance or advice, please contact us. It has also been suggested that you re-issue your SSL certificates on effected services. Please contact your certificate provider for further information. What to do if you've used a vulnerable system? There have been reports of some systems, including the likes of Yahoo!, leaking user passwords as a result of the vulnerability. It is recommended that you change your password (and any other system where the password has been re-used, against best advice); however this will only help AFTER the flaw in the effected system is fixed. Where possible, upgrading your authentication to utilise two factor authentication (2FA) will remove this aspect of the risk. To remove a large class of potential attacks against your users and systems, why not contact Onyx Group to add 2FA protection to your environment? To keep up to date with breaking IT news, follow OnyxGroupUK on Twitter or Onyx Group' tamed security geek Infosanity.

You might also be interested in

Local Businesses List Cleanliness, Safety and Retail As Their Top Priorities For Improvement in South Yorkshire’s Civic Centres

Mon 8th July 2024

Safety, cleanliness and the quality of retail have all been cited by South Yorkshire businesses as top priorities for their local urban cores. This is according to the recently-published findings of the Town and City Centre Survey.

BCC Quarterly Economic Survey: Business Confidence Continues To Tick Up in Q2

Mon 8th July 2024

The BCC’s Quarterly Economic Survey – the UK’s largest and longest-running independent business survey – shows measures of business confidence and business conditions slightly improved in Q2 2024, albeit from a very low base.

Bank Seeks Further Evidence Before Rate Cut

Mon 1st July 2024

David Bharier, Head of Research at the British Chambers of Commerce reacts to the Bank of England’s latest interest rate decision


Mon 1st July 2024

Director General of the BCC, Shevaun Haviland, has urged the next Government to stop treading on eggshells around trade with the EU if it wants to grow the UK economy.