Heartbleed is a major security flaw discovered in certain versions of OpenSSL. The bug can allow attackers to eavesdrop on communications, impersonate users, or steal data thought to be encrypted and secure.
Exposure to this threat is widespread. OpenSSL is the most popular open source software for initiating SSL and TLS connections.
Though only a handful of OpenSSL versions are affected, they are used by hundreds of thousands of servers across the globe. Many popular web services are considered vulnerable.
The length of exposure to this threat is also severe. Disclosed on April 7th, the Heartbleed bug went undetected for more than two years. Security keys, passwords, and other sensitive data may have been exposed throughout this time.
OpenSSL versions 1.0.1 through 1.0.1f are affected by the bug.
For more information:
US-CERT Alert: OpenSSL ‘Heartbleed’ vulnerability
Codenomicon: The Heartbleed Bug
Calyptix is not affected by Heartbleed. Our systems use versions of OpenSSL that do not contain the bug. This includes all of our services delivered through AccessEnforcer, single pane of glass (SPS), our update servers, and our online portal.
Even though we are not vulnerable to Heartbleed, our developers have updated our standard series of internal QA tests to check for this flaw as a safeguard. Every Calyptix product must pass these tests before release. This will help ensure the flaw never affects our services in the future.
Heartbleed is widespread and may affect many products and services you use.
We advise our partners to:
1. Review all systems and services in use. Assess whether they use the flawed versions of OpenSSL. Check everything: your bank, servers, phone systems, payroll administrator, CRM system, etc.
2. Patch the affected systems, or ensure that a patch has been applied by the vendor.
3. Change the authentication credentials for all affected systems. This includes all passwords and SSL certificates that may have been exposed. Do this only after a patch has been applied.
This can be an opportunity to emphasize the importance of security to your clients. For example, you can offer to help identify important assets in their organizations, assess whether they have been affected by Heartbleed, and apply patches when necessary.
You can also simply advise clients to change their passwords for popular web services that may have been exposed. These services include Yahoo! Mail, Gmail, Instagram, and many others. Click here to get a list.