Hearts Bleed Over Latest SSL Vulnerability

On April 7, the open-source OpenSSL project issued an advisory regarding a critical vulnerability identified as CVE-2014-0160 and called “Heartbleed.” This flaw, which takes advantage of OpenSSL’s heartbeat feature, has been present in OpenSSL for over two years, but was only recently discovered. It allows an attacker to trick systems running any version of OpenSSL 1.0.1. from the past two years into revealing 64 KB of data sitting in its system memory per request. There is no limit to the number of requests an attacker can make. Attackers can gain access to private keys, user names, passwords, credit card data, and other sensitive information. They can spoof a website by launching a more effective man-in-the-middle attack. What is both scary and brilliant about attacks exploiting this vulnerability is that they leave no trace in the server logs.

Bitsight is pleased to announce a new feature on the Customer Portal launched yesterday that shows if a company is vulnerable to the Heartbleed bug. Companies are classified into one of the following three categories:

• Vulnerable: The domain for this company uses an unpatched version of OpenSSL and is vulnerable to this attack.

As a way to measure the ability of companies to quickly respond to these types of vulnerabilities, we looked at how the companies in the S&P 500 index have performed. As of 10 pm ET on April 8, 2014, most companies in the S&P 500 index are secure. The fact that OpenSSL released a patch at the same time they announced the vulnerability and that the nation’s largest public companies were mostly quick to patch their systems is certainly good news.

The questions that remain now are how many organizations were exploited before the patch was applied, how many organizations will revoke their certificates and get a new one, and how long this process will take. This is certainly an issue we will watch in the days and weeks to come.