11 Apr

Heartbleed, SSL, and What You Need to Know…

So earlier this week the IT world got a nasty little shock in the form of the Heartbleed Bug, a horrid little slip of code in the Open Source OpenSSL library that is causing headaches for IT folks the world over by now.

Long story short, versions of OpenSSL released since March 2012 (v1.0.1) up until this week have a bug that allows an attacker to gain access to “leaked” chunks of server memory, in some cases revealing sensitive information. We've seen reports of this being used to access username/password combinations, and other pieces of information that may be stored in a server or devices memory at the time of the exploit.

At this point we have confirmed that all Pure Energy Systems managed servers and systems are not vulnerable to the Heartbleed exploit. In some cases (such as our older CentOS5 based servers) the OpenSSL library on the device was entirely unaffected (being based on v0.9.8) while in some newer cases, most notably the new nameservers we just rolled out over the last couple weeks, the security updates that fixed the bug were rolled out onto servers as soon as they were available from the various software vendors.

Our upstream providers (datacenters, etc) have been running around doing the same, identifying which of their systems are accessible to the internet at large, which ones may be impacted and patching where applicable.

As much as I hate to say it however, I do not believe we, the internet at large, have quite seen the last of the fallout from this bug as of yet. Due to the widespread adoption of the OpenSSL library, we've seen and heard of all sorts of devices and application stacks out in the wild that appear to be impacted by this bug, everything from Firewalls, Routers, Virtualization Platforms, even some Phone Systems.

I'm almost certain there will be many tech folks running around over the weekend who'll be testing, verifying, and determining which of their company's products are impacted, and I suspect we'll be seeing “Security Update Required!” notices coming out from anyone and everyone over the next few weeks. Keep an eye on your inbox for updates from any company's you utilize, and if you have any type of internet facing device or system (for instance, a home broadband router) with an SSL protected port that is available to the internet, it may be wise to check with the vendor to see if they have determined it's status.