Heartbleed OpenSSL Security Flaw Puts Corporate Cloud Data at Risk

Cybercriminals are using Heartbleed, an OpenSSL Web server security flaw, to access credit card information, e-mails and passwords that are stored in the cloud. What is being done to stop Heartbleed? And how can companies manage cloud security risks in the future?

Dan Kobialka, Contributing writer

April 9, 2014

2 Min Read
Cybercriminals are using quotHeartbleedquot an OpenSSL Web server security flaw to access credit card information emails and passwords stored in the
Cybercriminals are using "Heartbleed," an OpenSSL Web server security flaw, to access credit card information, e-mails and passwords stored in the cloud.

Google (GOOG) and Finnish security firm Codenomicon released details this week about Heartbleed, a major online security flaw that affects OpenSSL Web servers. Heartbleed allows cybercriminals to access website data and visitors’ personal information, including credit cards, e-mails and passwords that are stored in the cloud.

Heartbleed leaves no record in an attacked Web server’s logs, which makes it impossible to tell exactly how many websites may have been exploited by it. Heartbleed went undetected for more than two years, and it could have affected thousands of OpenSSL Web servers across the globe. The U.S. Department of Homeland Security yesterday warned businesses about Heartbleed and asked them to review their Web servers to find out if they are using infected versions of OpenSSL.

According to The Economist, up to two-thirds of the world’s websites are vulnerable to Heartbleed attacks. While OpenSSL has been available since March 2012, it contained a serious coding error that allowed a computer at one end of an encrypted link to send a signal to the computer at the other end of it to check that it is still online. Google and Codenomicon, however, found that hackers could exploit this coding error, duplicate its signal and access an OpenSSL Web server’s memory.

The websites that currently are or might have once been vulnerable to Heartbleed attacks include:

  • Apple

  • Amazon

  • Facebook

  • Flickr

  • Google

  • Imgur

  • Microsoft

  • Twitter

  • Wikipedia

  • Yahoo

Google and Codenomicon launched a dedicated Heartbleed website that provides a complete breakdown of the security bug. To stop Heartbleed, Google and Codenomicon offered the following recommendation:

“As long as the vulnerable version of OpenSSL is in use, it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors [and] independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”

A recent survey conducted by PerspecSys at the RSA Conference provided more insight into how businesses view cloud security. Meanwhile, numerous cloud security solutions are available for businesses, including Skyfence‘s Cloud Gateway and Fujitsu‘s Cloud End User Protect.

Read more about:


About the Author(s)

Dan Kobialka

Contributing writer, Penton Technology

Dan Kobialka is a contributing writer for MSPmentor and Talkin' Cloud. In the past, he has produced content for numerous print and online publications, including the Boston Business Journal, Boston Herald and Patch.com. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State College (now Bridgewater State University). In his free time, Kobialka enjoys jogging, traveling, playing sports, touring breweries and watching football (Go Patriots!).  

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like