"Heartbleed" is a catchy name for a cyber vulnerability, but how exactly does it work, and how can you (and your enterprise's employees) be better protected against it?
“Heartbleed,” a flaw in a widely used security script called OpenSSL, could allow a malicious actor to ping the website recently visited by an employee or user and pull personal data from it – allowing them to reconstitute passwords or other sensitive information from the data, according to Gizmodo.
Heartbleed allows hackers to lie to servers about how much data it sends in a ping, or “heartbeat.” The server will then send too much data, including private data, back to the hacker.
Unfortunately, due to the widespread use of OpenSSL, Heartbleed affected 500,000 websites, from mom-and-pop retailers to international conglomerates, The Washington Post reports. The next step is for those sites to revoke their current security certificates and issue new ones, which sounds simple enough, but it could cause serious speed reductions when users try to load websites due to the flood of new security certificates being verified.
A patch has been issued for the vulnerability, which means that it is now safe to change passwords for the affected sites.
So far, some of the biggest websites affected, or claiming a possible vulnerability for safety’s sake, include:
- Amazon Web Services
- Dropbox
- Gmail
- GoDaddy
- Netflix
- OKCupid
- SoundCloud
- Tumblr
- USAA
- Yahoo
Even more worrisome, especially for enterprises with strong mobile device-using workforces, smartphones and tablets running a specific version of Android were affected by the Web security bug, which could potentially put login information from those mobile devices at risk, Yahoo reports. Google assured Android users in an April 9 blog post that most versions are not affected, but the 4.1.1 Jelly Bean version is a “limited exception.” That version, released in early 2012, is likely to be running on older Android smartphones. Google reports that about 34 percent of Android devices use a version of 4.1 Jelly Bean software, but fewer than 10 percent of devices in use are vulnerable.