The Heartbleed Bug

14th April 2014

Yesterday was an interesting and busy day for those on both sides of the information security fence.

A critical vulnerability was publicly disclosed in the widely used library OpenSSL, which forms the core of many SSL/HTTPS provisions. If you want to read more information from the original source, Heartbleed is the place to start. What is it? Without getting too technical, the flaw allows a malicious and unauthorised third party to access protected data in memory. The exact data access is random, but there have been corroborated reports finding clear-text passwords, private SSL keys and other sensitive data which would negatively impact the security of your systems, users and clients. How to determine if you're vulnerable? The vulnerability effects any service utilising OpenSSL version 1.0.1 through to OpenSSL version 1.0.1f. If you (or your in-house sysadmin) can confirm that your SSL implementation isn't running any of the effected versions, you're safe from this particular weakness. Unfortunately, OpenSSL is widely used and embedded into many other appliances and application stacks. Since the notification yesterday, a number of websites have been released to enable you to enter your system name/IP address and the site will check for you. However, what a third party may do with the information once determining your system is vulnerable is beyond your or our control. Clients which take regular security testing from Onyx Group will automatically have the checks run against their systems during the next scheduled assessments. If you would like to bring your assessment forward for this check, please contact your Account Manager or Security Support. If you're not already taking advantage of Onyx Group' vulnerability management services, fear not; we have a dedicate package just covering this issue to provide rapid peace of mind. Existing clients just contact your account manager; new clients, please contact or 0845 345 5758. What to do if your systems are vulnerable? Upgrade OpenSSL, a fix has already been developed and released. Depending on your operating system and configuration this may be as simple as issuing a single command, or more complex. If you would like additional assistance or advice, please contact us. It has also been suggested that you re-issue your SSL certificates on effected services. Please contact your certificate provider for further information. What to do if you've used a vulnerable system? There have been reports of some systems, including the likes of Yahoo!, leaking user passwords as a result of the vulnerability. It is recommended that you change your password (and any other system where the password has been re-used, against best advice); however this will only help AFTER the flaw in the effected system is fixed. Where possible, upgrading your authentication to utilise two factor authentication (2FA) will remove this aspect of the risk. To remove a large class of potential attacks against your users and systems, why not contact Onyx Group to add 2FA protection to your environment? To keep up to date with breaking IT news, follow OnyxGroupUK on Twitter or Onyx Group' tamed security geek Infosanity.

You might also be interested in

Landmark skills training report calls for wide-ranging reboot of UK system

Thu 6th May 2021

A major new report is calling for a root and branch reform of the UK’s training system to help businesses access the skills they need to boost productivity.

Sheffield Chamber Comments on Sheffield City Region Quarterly Economic Review Q1 2021 Results

Thu 6th May 2021

On 27th April 2021 businesses from across the region gathered to hear the latest results following the Sheffield City Region (SCR) Quarterly Economic Review for Q1.

BCC welcomes ratification of UK-EU TCA but says work remains to be done

Thu 29th April 2021

Speaking after news that the Trade and Co-operation Agreeement has been ratified, Hannah Essex, Co-Executive Director of the BCC, said:

New Figures Show Workforce Growth Expected but Some Sectors Yet to See Signs of Revival

Thu 29th April 2021

The British Chambers of Commerce today released its Quarterly Recruitment Outlook for Q1 2021.