Security Blog


How Does the "Heartbleed" Vulnerability Affect You?

April 16, 2014

"Heartbleed" is a catchy name for a cyber vulnerability, but how exactly does it work, and how can you (and your enterprise's employees) be better protected against it?

Heartbleed,” a flaw in a widely used security script called OpenSSL, could allow a malicious actor to ping the website recently visited by an employee or user and pull personal data from it – allowing them to reconstitute passwords or other sensitive information from the data, according to Gizmodo.

Heartbleed allows hackers to lie to servers about how much data it sends in a ping, or “heartbeat.” The server will then send too much data, including private data, back to the hacker.

Unfortunately, due to the widespread use of OpenSSL, Heartbleed affected 500,000 websites, from mom-and-pop retailers to international conglomerates, The Washington Post reports. The next step is for those sites to revoke their current security certificates and issue new ones, which sounds simple enough, but it could cause serious speed reductions when users try to load websites due to the flood of new security certificates being verified.

A patch has been issued for the vulnerability, which means that it is now safe to change passwords for the affected sites.

So far, some of the biggest websites affected, or claiming a possible vulnerability for safety’s sake, include:

  • Amazon Web Services
  • Dropbox
  • Facebook
  • Gmail
  • GoDaddy
  • Google
  • Instagram
  • Netflix
  • OKCupid
  • Pinterest
  • SoundCloud
  • Tumblr
  • USAA
  • Yahoo

Even more worrisome, especially for enterprises with strong mobile device-using workforces, smartphones and tablets running a specific version of Android were affected by the Web security bug, which could potentially put login information from those mobile devices at risk, Yahoo reports. Google assured Android users in an April 9 blog post that most versions are not affected, but the 4.1.1 Jelly Bean version is a “limited exception.” That version, released in early 2012, is likely to be running on older Android smartphones. Google reports that about 34 percent of Android devices use a version of 4.1 Jelly Bean software, but fewer than 10 percent of devices in use are vulnerable. 

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

July 2014

2014 July

In the July issue of Security Magazine, read about how the NFL is balancing security with fan experience to make sure sporting events are running smoothly. If you're doing any traveling this summer, be sure to read the 5 hot spots for business travel security, also, employers can track on-the-go employees with new mobile apps. Also, check out the latest news and industry innovations for the security industry.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+