WASHINGTON – Efforts continue to fix the ubiquitous Heartbleed bug worldwide, and retailers are “scrambling to both find vulnerabilities and reassure customers,” writes FierceRetail.com. However, the threat is far from over.
The Heartbleed vulnerability, announced April 7, is a very serious flaw in a popular encryption method meant to keep usernames, passwords and other data safe. Although there is now a fix available, the flaw has existed for two years and could have already exposed user data. And even though a fix is available, widespread implementation hasn’t occurred yet.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library, a weakness that allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. It also allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
“So much of our infrastructure is reliant on open source code — dedicated programmers but little ability to QA in detail,” said PCATS Executive Director Gray Taylor. “Retailers, banks — virtually all online businesses — rely on these de facto standards and are therefore open to security holes that lay buried deep in the generally accepted software of the Internet. There is no easy answer, other than to focus on how we perform secure transactions in dirty environments, but with Heartbleed, we can’t even seem to accomplish this. Peer-to-peer hardware tokenization appears to be our best bet.”
Security experts warn that many sites will have a difficult time even determining if they are affected with the Heartbleed problem, and few tools exist to verify closure of this security gap. Experts further caution consumers from changing passwords on high value sites, like banking or retailers, until the site verifies that SSL issues have been corrected.