Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Heartbleed does not kill you. Just yet!

Sri_Karnam ‎04-14-2014 08:30 AM - edited ‎07-07-2015 09:48 AM

There was a bug in one line of a code that nobody noticed for years. It was not an issue, until recently, when somebody was able to exploit that vulnerability. How?


Typically, internet was built on trust and there was no private information earlier. It was a synchronous transfer of information. Which means that the sender and receiver both had the same key but they didn't use it to exploit each others' information.


Think of like this: when you want to travel for few days and you want to give a key to someone so that they can feed your cat. You give the key based on trust factor. In this case, the key could be exploited to gain access to information that to which you would not have access.


Technically, what does it mean?


A Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites that need to transmit the data that users want to keep secure. OpenSSL is an open-source implementation of SSL and its successor protocol, TLS (which stands for Transport Security Layer). It basically gives you a secure line when you're sending an email or chatting on IM. 


Heartbleed is a recently discovered bug in OpenSSL that could allow an attack to read information off a Web server even though it's supposed to be secured against intrusion. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.


The good news is that there is no evidence, until now, that it has been exploited--mainly because there is no trace on the server.


Theo De Raadt who is one of the founders of OpenSSL, comments that: 

OpenSSL has exploit mitigation countermeasures to make sure it's
> exploitable

The vulnerability and threats may come in any share or form. You need to be prepared through multiple layers of security to ensure that these zero-day attacks dont bring down your organization.


HP is leading in enterprise security with multiple layers of security to ensure such things don't become bigger than what it was. HP Security Research Labs found and fixed this bug through threat feeds that powered rest of the security solution such as IPS or the next generation Firewall. ArcSight also gets this threat feeds and enures that this bug does not harm your data. The tools itself such as ArcSight, TippingPoint, and Fortify is tested to make sure there is no open exploitable bug including this Heartbleed.


Finally, Fortify, the static and dynamic application scanning for security tool has invited all open source to go through free application scanning to ensure that such issues don't exist. 


0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all