The Heartbleed bug has put millions of computer users across the globe at risk of having their credit card data, bank passwords and personal information accessed by hackers. Do how are Indian organisations addressing a particularly hard vulnerability to fix?
The bug is a vulnerability in the widely-used OpenSSL cryptographic software library. The weakness makes it easier for criminals to steal information that is normally protected by the SSL/TLS encryption used to secure the internet. SSL/TLS provides communication security and privacy for applications such as email, instant messaging and some virtual private networks (VPNs).
According to Forrester Research, 50% of all external-facing web servers use OpenSSL in some form. Although OpenSSL is used on about two-thirds of all web servers, the Heartbleed bug has gone undetected for about two years. Hackers can use the bug to steal encryption keys and user data, which may include passwords and personal data.
Manatosh Das, security analyst at Forrester Research in India, described the bug as “catastrophically bad”.
“The scale of the damage might never be known, but the bug is thought to be the most serious uncovered in recent years,” he said. “This isn’t a simple bug in any application that can be fixed easily. The vulnerability is on the web servers that transmit secure information on the world wide web, such as banking and e-commerce websites.”
Read more about Heartbleed
Das said the bug would lead to many data breaches across the globe. “Government and enterprise websites will be under cyber attack and private data will be exposed, putting organisations at risk of [breaching] data privacy laws,” he added.
“This vulnerability is hard to fix. Even if a server is patched, private keys may have been compromised before the fix, allowing vulnerabilities to linger.”
Indian recruitment portal Naukri.com confirmed its websites have been attacked this month. It has taken the precautionary step of instructing users to change their passwords.
KK Mokhey, director of security company NII Consultancy, said most of his firm’s clients in India had already taken the necessary steps of first identifying the servers that might be vulnerable and then working with system and application suppliers to apply the necessary patch.
“A lot of enterprise customers do not have their web servers directly exposed, but are protected behind either an SSL load balancer or a web application firewall,” he said. “As such, suppliers of these technologies have either confirmed that the current version is not vulnerable or have supplied a patch urgently.”
Abhay Dhanorkar, director of Indian website development company Softmass, said many of the websites his firm hosts on its infrastructure have confidential data. “To give reasonable assurance to our clients, we have chalked down an infallible approach to identify the vulnerable systems and patching them systematically,” he said. “So far, we have not witnessed any anomalies or alerts by the firewalls and IDS/IPS systems guarding our infrastructure.”
The best approach for most companies is to first identify the areas where SSL /TLS encryption is deployed. The affected servers and systems should then be identified and patched. A tool has been developed to identify vulnerable websites.
Also, the companies servicing end users should inform them of the potential risk and encourage them to change their passwords. There is little users themselves can do to solve the problem.