If you haven’t already seen or heard about Heartbleed, the large vulnerability that affected over half a million trusted websites, here is a synopsis, the status of our servers being patched, and my take on why the sky is NOT falling due to this issue.
LexiConn is Safe
Once this vulnerability was announced, we had all of our affected servers patched within a few hours. Note that the large majority of our servers were not vulnerable to this attack, as they run versions of the OpenSSL software that did not have the bug in them.
What is Heartbleed?
Heartbleed is a bug in the very popular OpenSSL cryptographic library used by many modern servers throughout the world. OpenSSL provides the backbone of the encryption used for SSL (i.e. secure) communications over the web.
The bug allows a would be attacker to access random “chunks” of memory from the server (64 Kb at a time). Over time, an attacker *could* get the secret key for the SSL security, and then use that key to go back and decrypt data they had collected.
The attack was discovered and published on April 7th. The severity of this exploit stems from a random attacker being able to request sensitive memory data without it triggering anything unusual in the server log files. The attacker does not need to be on the server, and it does not require a more complicated “man in the middle” attack vector.
How Real is this Threat?
The media sure likes to jump on a story like this. The “sky is falling” doomsday articles are a bit overblown.
That’s not to say this isn’t a big deal. It is. It needs to be taken seriously, and all internet providers should already be patched.
Once the exploit was released to the public (along with simple code anyone could run to take advantage of this bug), the threat became *VERY* real. Getting patched quickly was the best defense against Heartbleed.
However, here is my take on the odds of a hacker being able to find this vulnerability on his or her own, and then successfully use this information to exploit servers and data…
First, the hacker would have needed to be smart enough to find this vulnerability on their own. It took a team of researchers from a security company and Google to discover the flaw. It likely isn’t something the average hacker would have discovered on their own.
For the sake of argument, let’s say one of the top hackers out there found out about this flaw. They would have needed to keep it quiet (which is certainly possible), as no one else had heard about it before the team announced it a few days ago.
Next, they would have needed to launch a targeted attack against a site or group of sites that they wanted to try and compromise (and were running software vulnerable to this attack). This attack is not easy to exploit fully, as it takes time, skill, and patience to collect 64 Kb of random data, one connection at a time. Each fragment would need to be saved, and each one would need to be examined trying to obtain the secret private key that encrypts the data.
If this secret key were to be pieced back together, then the process of assembling these random fragments into usable chunks and then decrypting them begins. It’s not something you can just write a few lines of code for and hit the jackpot. It requires a great deal of resources and know-how to pull off.
If all of the above did happen, the hacker would probably want to target something big, like a bank or a large site like Yahoo. It’s highly unlikely they would target small business websites, as the effort expended would far outweigh the potential data they might recover.
As you can see, the odds of this being pulled off *BEFORE* the bug was announced to the public are probably quite low. In the neighborhood of being struck by lightning twice in the same spot on the same day kinda odds.
However, *AFTER* the bug was announced, the threat became much more real. With available code, the “script kiddies” could launch these attacks easily, and the potential for sensitive data to be found becomes quite high.
To reiterate, all LexiConn servers and accounts were fully patched against Heartbleed a few hours after the release was made public. The vast majority of our servers were not vulnerable to this attack at any time, so there was only a tiny chance it could have even been exploited in the past.
If you have any questions about this vulnerability as it relates to your account with us, just drop us an email, or give us a call.