Sophos news in review: OpenSSL Heartbleed, what is it and what does it mean for security?

heartbleedThe big story in security news right now is Heartbleed — a serious bug in the software responsible for encrypting traffic on the Internet, called OpenSSL.

OpenSSL is open source software used by websites, including Google, Gmail, Facebook, Yahoo and many thousands more, to encrypt all of our data. But the Heartbleed bug, just recently discovered by two researchers, left the door wide open to data attacks on vulnerable web servers.

We also found out that the Heartbleed bug is in a version of the OpenSSL software that’s two years old — so this vulnerability could have been attacked for a very long time by someone with the resources to exploit it.

Sophos security experts helped us to understand Heartbleed and what it means, how to protect yourself, and why we should all be thankful for open source software, even if it’s not perfect.

Note to Sophos Customers: To get the most current information on how this bug affects our products, please see the knowledgebase article in the Support section of our website.

Internet skips a Heartbeat

Chester Wisniewski, Sophos senior security advisor, let us in on what Heartbleed is and why it’s so important for security on the Internet.

Chet explained that OpenSSL sends a small packet of data back and forth between web servers to make sure the connection is still working, what’s called a TLS Heartbeat.

Only now it turns out that servers could be tricked into sending system-stored data in response to a Heartbeat ping — data which could include passwords and encryption keys.

In an opinion column published on CNN.com, Chet described how two-thirds of all websites were vulnerable to Heartbleed.

Fortunately, most major Web services have already applied fixes to the affected Web servers and services. The bad news is that smaller websites as well as many companies' products that rely on OpenSSL may linger for many more years without a fix.

Chet told BuzzFeed that an even bigger concern is who might have known about the Heartbleed bug before the rest of us caught on — and the most likely organization to know would be the U.S. National Security Agency (NSA), which has the means and an interest in finding such vulnerabilities.

“That’s exactly what the leaked NSA programs are supposed to do: Find the flaws, exploit them and never tell anyone,” Chet said.

According to Chet, the “open” part of OpenSSL means this vital security software is maintained by volunteer researchers, not commercial interests.

And that means we should be focusing our attention on supporting the open parts of the Internet that we rely on for freedom of communication.

All of us have come to rely on the Internet socially, politically and economically. The billions of dollars a year being made by the tech giants would not be possible without the millions of donated hours that maintain free and open software like OpenSSL, Linux, Apache Web server, and Postfix mail server.

Sophos Security Chet Chat #142: Heartbleed explained, Patches assessed, Apple chastised

In this episode of the weekly Chet Chat podcast, Sophos experts Chester Wisniewski and Paul Ducklin dive into the Heartbleed bug and tell us what it all means.

Plus, they share their expertise on all the other big stories of the week, including the end of XP support, Apple’s patching issues, and a whole lot more.

Learn more about OpenSSL Heartbleed

Paul Ducklin, Sophos senior security analyst and writer for Naked Security, proved his chops as an encryption expert this week with his excellent coverage of the OpenSSL Heartbleed bug.

Read his articles to get all the information you need to understand and counter this bug.

60 Second Security: Heartbleed, Google Play, and XP

Paul Ducklin runs down the news of the week in just about a minute, including quick summaries of Heartbleed, a Google Play scam, and XP’s last security patch.

Keep up with Sophos news

You can get all the latest Sophos related news right here. Sign up for our Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

5 thoughts on “Sophos news in review: OpenSSL Heartbleed, what is it and what does it mean for security?

  1. Pingback: Sophos news in review: SG Series is here, Heartbleed boosts 2FA, and new spam rankings | Sophos Blog

  2. Pingback: Sophos news in review: Apple fixes, iOS malware, PCI DSS, and data encryption | Sophos Blog

  3. Pingback: OpenSSL Man-in-the-Middle vulnerability: Sophos Product Status | Sophos Blog

  4. Pingback: What is Shellshock? This infographic explains how a Shellshock attack works and how to stay safe | Sophos Blog

  5. Pingback: Heartbleed : quel impact sur la sécurité d’Open SSL ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s