If you are an admin and have been living under a rock here is a newsflash for you: A security flaw was recently discovered in OpenSSL, specifically version 1.01, which is the version that has been shipping since March 2012. Codenamed Heartbleed, the vulnerability was discovered by researchers at Google and Codenomicon. The hole allows an attacker to access data that should not be visible to them. This would include things like Banking information, passwords, sensitive documents and all the other dirty laundry you would be best advised to keep away from prying eyes. Others say it is possible to obtain the keys used in the communication process itself which means that the communication between a user and the server can be hijacked with a man in the middle attack.
To check if your website is vulnerable go to this page and enter your website’s address.
Since OpenSSL is at the core of most web servers and other services, this is a serious vulnerability. What is even more worrying is that ever since the vulnerability was publicised, a lot of proof of concept scripts have been appearing online which means that if you do not urgently patch your site, you will not only have serious hackers, but script kiddies to contend with. What is comforting however is the speed with which the developers of OpenSSL and distribution administrators have responded to the threat: Ubuntu, Centos, Debian, Red Hat and SUSE have already released the appropriate patches to deal with this threat. All you need to do is to install the latest updates for your system.
Over the past several months we have learnt how Zimbabwean web admins are a slothful lot. Random attacks by hacktivists from the netherworld exposed security holes in several websites, security holes for which patches had been released and in existence for a while.I initially did not think this article was necessary because, after all, every administrator should keep abreast of all security news pertinent to their set up. Using the website however, I was alarmed to see that a number of popular Zimbabwean websites have not applied the patch yet although thankfully all the online banking sites I tested seem to have fixed the issue.
Picture Credit: Heartbleed.com
Share
Home
3 comments
As a precaution, If you were using one of the outed packages (a-f) it is recommended that you rotate your SSL certificates as soon as possible
Thanks for the suggestion. It seems most major sites are doing the same.
When you are finished patching your system, you still have to get a new public or private key pair, update your SSL certificate and then change every password because the attackers could already have accessed your password.