The bug allows hackers to intercept secure communications and steal information
Symantec warns of a recently discovered vulnerability in one of the most widely used implementations of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols, which presents a serious and immediate danger to any unpatched web server. The bug, known as Heartbleed, allows hackers to intercept secure communications and steal sensitive information such as login credentials, passwords, personal data, and even decryption keys.
This threat reinforces the new behavior change of cyber criminals, who seek big rewards and work for months to achieve their goals. Symantec's new report on Threats to Information Security points out that this type of device is becoming increasingly common. In 2013, it was already possible to observe an increase of 62% in the number of data and sensitive information leaks, in addition to more than 552 million identities exposed through the leaks.
Heartbleed or OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability (CVE-2014-0160) affects an OpenSSL component known as Heartbeat. OpenSSL is one of the most widely used implementations of the SSL and TLS protocols.
How this vulnerability works
Heartbleed sends a message to the OpenSSL server, which in turn relays that message back to the sender, verifying the connection. The message contains two components, a data packet known as a payload, which can be up to 64 KB, and information about its size.
However, the Heartbleed vulnerability in OpenSSL allows an attacker to falsify useful payload size information. For example, they could send a payload of only one kilobyte, but with an actual size of 64KB. The Heartbleed bug is the latest in a series of SSL/TLS vulnerabilities discovered this year. TLS and its older predecessor SSL are both secure protocols for communicating the Internet and working to encrypt traffic between two computers. For more information about this vulnerability, click here.
To protect yourself from this vulnerability
Companies:
• Any user of OpenSSL 1.0.1 through 1.0.1f must update the software to the latest version – 1.0.1g – or recompile the solution without the Heartbeat extension.
• If after this installation you believe that the certificate of the Internet server may be corrupt, contact the authority responsible for the certification and ask for the exchange;
• In addition, as a good practice, companies should consider resetting end-user passwords – especially those with signs of a breach.
Consumers:
• Be aware that your data may be seen by third parties, especially if you use vulnerable service providers.
• Monitor any news from the suppliers you use. Once the vulnerability is reported, consumers must change their passwords.
• Avoid accessing emails with strange links, as they may contain the so-called phishing – the baits, which seek your click.
• Do not access dubious websites. Opt for official and reputable portals.
• Track your bank account and credit card statement. Be wary of any unusual transactions to your profile.
This threat reinforces the new behavior change of cyber criminals, who seek big rewards and work for months to achieve their goals. Symantec's new report on Threats to Information Security points out that this type of device is becoming increasingly common. In 2013, it was already possible to observe an increase of 62% in the number of data and sensitive information leaks, in addition to more than 552 million identities exposed through the leaks.
Heartbleed or OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability (CVE-2014-0160) affects an OpenSSL component known as Heartbeat. OpenSSL is one of the most widely used implementations of the SSL and TLS protocols.
How this vulnerability works
Heartbleed sends a message to the OpenSSL server, which in turn relays that message back to the sender, verifying the connection. The message contains two components, a data packet known as a payload, which can be up to 64 KB, and information about its size.
However, the Heartbleed vulnerability in OpenSSL allows an attacker to falsify useful payload size information. For example, they could send a payload of only one kilobyte, but with an actual size of 64KB. The Heartbleed bug is the latest in a series of SSL/TLS vulnerabilities discovered this year. TLS and its older predecessor SSL are both secure protocols for communicating the Internet and working to encrypt traffic between two computers. For more information about this vulnerability, click here.
To protect yourself from this vulnerability
Companies:
• Any user of OpenSSL 1.0.1 through 1.0.1f must update the software to the latest version – 1.0.1g – or recompile the solution without the Heartbeat extension.
• If after this installation you believe that the certificate of the Internet server may be corrupt, contact the authority responsible for the certification and ask for the exchange;
• In addition, as a good practice, companies should consider resetting end-user passwords – especially those with signs of a breach.
Consumers:
• Be aware that your data may be seen by third parties, especially if you use vulnerable service providers.
• Monitor any news from the suppliers you use. Once the vulnerability is reported, consumers must change their passwords.
• Avoid accessing emails with strange links, as they may contain the so-called phishing – the baits, which seek your click.
• Do not access dubious websites. Opt for official and reputable portals.
• Track your bank account and credit card statement. Be wary of any unusual transactions to your profile.
EN 
PT 
