In case anyone hasn’t heard, a major flaw in OpenSSL named “Heartbleed” went public last week, putting companies’ and consumers’ private information at risk.
What is “Heartbleed”?
Heartbleed is a bug in OpenSSL (CVE-2014-0160) that resides in its heartbeat mechanism, allowing an attacker to ask for more data than should be allowed – to be copied from the server memory. This means that the response will contain data from the server’s memory, which may have sensitive information in it that is no longer controlled by the software.
References online indicate that passwords, private keys (certificates) of servers, and other very sensitive data are at risk.
Was Imperva impacted?
Some of our products and services were vulnerable to the bug. We don’t believe any were impacted by exploits. You can read the details here.
What can you do to protect your company?
Imperva and Incapsula both provide mitigation for applications protected by our WAFs as follows:
- SecureSphere customers can configure SecureSphere WAF to block Heartbleed attacks
- Incapsula customers are protected: see how
- Neither? Sign up for Incapsula now using the free trial to close the gap while you evaluate your options.
If none of these are an option, patching to the latest and greatest OpenSSL software (version 1.0.1g and newer) resolves the vulnerability at the software infrastructure level, and is a best practice.
As a consumer, how can I protect myself?
Mashable.com produced a list of affected sites that may have been compromised due to this bug. We recommend changing your passwords if you happened to have accounts in those sites, mostly for good measure.
Is this a big deal?
Yes. Heartbleed is one of the biggest Internet infrastructure vulnerabilities on record, not necessarily for its sophistication, but for the fact that it affects a majority of applications online and therefore has the potential to expose large amounts of sensitive data.
When the dust settles…
Heartbleed will be another event that highlights how hard it is for companies to ensure that their code base is secure. The reason is that almost all code includes 3rd party software, and that software may come with its own vulnerabilities. When that software happens to be used by the majority of the sites on the internet, the result is a big deal. But in case you want to dismiss this as a niche problem for SSL, think about how widely other frameworks (like Java or PHP or…) are used.