Heartbleed

What is it?
Heartbleed   or   CVE-­‐2014-­‐0160   is   a  
huge   vulnerability   in   OpenSSL   that  
was  discovered   in   April  2014.   While  
this  bug   already  occurred  on  the  31st  
December   2011,   it   has   not   been  
detected   earlier.   One   of   the   most  
popular   cryptographic   libraries  
attacked  more  than  two  third  of  the  
w e b   s e r v e r s   g l o b a l l y .   A s   a  
consequence,  it   is   possible   to   steal  
protected   information   with   Secure  
Sockets   Layer   /   Transport   Layer  
Security  encryption  which  is  used  to  
browse   safely.   Hereby,   SSL   /   TLS  
e ns ures   the   s a fety   of   many  
applications,   such   as,   web,   e–mail,  
Instant   Messaging   and   Virtual  
Private   Networks.   However,   this  
bug   makes   the   vulnerable  versions  
of   the   OpenSSL   software   readable  
via   the   internet.   This   also   includes  
the   personal   key   with   which   it   is  
possible   to   translate   secured  
information   like   credit   card   details,  
passwords,   e-­‐mail   addresses,   etc.  
The  bug   appeared  through  a   flaw   in  
t h e   p r o g r a m m i n g   a n d   i s   a n  
implementation  issue.  

How to stop the leak?

As  long   as   the  vulnerable  version  of  
OpenSSL  is   in  use  it   can  be  abused.
Therefore,   an   amended   version   of  

Conclusion after discussion

W h a t   i s  
Heartbleed  
a n d   h o w  
d o  
I  
p r o t e c t  
m y s e l f  

OpenSSL   has   been   released   which  
has   to   be   deployed.   Based   on   this,  
o p e r a t i n g   s y s t e m   v e n d o r s ,  
distribution   appliance   vendors   and  
independent   software   vendors  
have  to  adopt  the  fixed  version  and  
notify   their   users.   Hereby,   it   is  
crucial   that   service   providers   and  
users  install  it  as  soon  as  it   becomes  
available   for  the  operating  systems,  
networked  appliances  and  software  
they  use.

Bug is still a risk to 50% of
vulnerable servers!
When   Heartbleed   was   discovered,  
the   amount   of   vulnerable   servers  
accounted  for  600.000   in   total.  Two  
months  after  the   Heartbleed   bomb,  
there   were   still   300.000   vulnerable  
servers   remaining.   After   a   month,  
fifty  percent  of  the   exposed  servers  
were   already   fixed.   Followed   by  
that,   additional   9042   servers   were  
cleaned   in   the  second  month,  which  
means   that   300.000   servers   still  
remained  vulnerable  at  that  time.

How do I protect myself?
Based   on   the   high   amount   of  
residual   servers   with   this   bug,   is   it  
essential   to   know   how   you   can  
protect   yourself.   This   embodies  
strong   difficulties   as   this   problem  

cannot   be   solved   by   regular   users.  
However,  there  are  a  few  guidelines  
for   end   users   as,   for   instance:   Do  
not  log  into  accounts  from  afflicted  
sites  until  you  are  sure  the  company  
has   solved   the  problem.   If   you   are  
not   sure,   you   can   change   your  
password.   Moreover,   there   is   also  
an   application   that   can  check   if  the  
website   is   still   vulnerable.   McAfee  
provides  this   application   and   it   can  
be   obtained   for   free.   Nonetheless,  
please  keep  a   close  eye  on  financial  
statements   for   the   next   few  
months,   because   attackers   can  
access  a  server’s   memory  for  credit  
card   information.   Therefore,   it   will  
not   hurt   to   be   on   the   lookout   for  
unfamiliar   charges   on   your   bank  
statements.   Nevertheless,   even  
after   following   these   guidelines,   a  
certain   risk   still   remains   when   one  
surfs  through   the  web   through  the  
remaining   existence   of   the   bug.  
Lastly,   Heartbleed   is   even   known  
for   affecting   browser   cookies,  
which   track   users’  activity   on  a   site.    
T h e r e f o r e ,   e v e n   v i s i t i n g   a  
vulnerable   site   without   logging   in  
can  be  unsafe.