Recently, Singaporeans were made aware of 'Heartbleed', a major encryption flaw that affects OpenSSL web servers. The Infocomm Development Authority of Singapore (IDA) urged all website owners in Singapore to heed the advisory issued by SingCERT; this included recommendations to upgrade their OpenSSL software and check with their IDS/IPS vendors if signatures are available to detect/block such attacks.
Exploiting the Heartbleed flaw allows cybercriminals to access private and corporate information stored on the cloud across various sites such as Facebook, Google and Twitter. This means these open platforms may have been exposing crucial and confidential data for the past two years. Given the significant scale of potential users affected, this flaw is one of the biggest online security threats to date. Well-known Internet security researcher and author Bruce Schneier calls this bug "catastrophic" and says "On a scale of 1 to 10, this is an 11."
As a free platform, OpenSSL has been a popular choice amongst companies since its inception in 2012. In fact, according to a recent Netcraft Web Server survey across 959 million websites globally, around 66% are powered by technology built around OpenSSL.
Unfortunately, for the past two years there has been a bug in the encryption used by most (but not all) "secure" Internet sites to allow anyone who was aware of this flaw, to grab information from the memory of those webservers. That information could have included usernames, passwords, and encryption keys that are used to protect traffic - keys that could in turn be used to further attack the information in those sites. Major websites are patching their servers, which is good, but this doesn't tell us we don't know if anyone has been secretly stealing information over the past two years.
Passwords are like toothbrushes: choose a good one, change it regularly and don't share it with others. Passwords should also vary across different accounts such as banking, investment, email and social media sites.
While consumers who receive alerts from websites to update passwords can easily do so to protect their information, securing corporate information is much more complex. Companies without expertise in this area may have to engage IT service providers in order to properly track and assess their systems for exposure to risks. However it is worth being aware that embarking on a process to engage a third party to perform checks and improve systems can be time-consuming, and could create a further window of opportunity for hackers to seize the moment and exploit the data available.
What businesses can do to mitigate the risk
Businesses that have been using OpenSSL should have contingency plans in place to analyse and identify potential risks, with subsequent concrete steps taken to address them. As a follow up, these businesses should also run an IT audit to ensure that no other information has been compromised.
Sign up for Computerworld eNewsletters.