/sc_assets/441/logo.png

Heartbleed bug

Posted on 11 April 2014

Earlier this week the “Heartbleed Bug” became a news headline. Despite its prominence in the news, many are left wondering exactly what the bug is and how it may affect them.

The Heartbleed bug is an extremely serious vulnerability in the widely used Open Source cryptographic software library, OpenSSL.

Over half a million websites that you likely interact with on a regular basis employ the OpenSSL TSL heartbeat extension, including Twitter, Yahoo, GitHub, Tumblr, Steam

The vulnerability allows a malicious attacker access to extract 64kb of memory at any one time.

In a world where it is not uncommon for average Joe to have a 1 terabyte hard drive in their pocket, “64kb” may not sound like a lot… But believe us, 64 kilobytes is more than enough for a malicious attacker to extract extremely sensitive information (such as usernames, passwords and financial data) from a server’s memory.
The vulnerability can also be exploited to extract a server’s private key, which can then be used to decrypt all communications.

In short, it is the worst security vulnerability we have seen to date.

In addition, the vulnerability has been in circulation for an extremely long time – first introduced to the software library on 31st of December 2011.

What have we done?

We have scanned all services and devices, our web servers and OpenVPN server installations do not use the vulnerable version of OpenSSL affected by Heartbleed.

The tools we used:

OpenVPN: https://github.com/falstaff84/heartbleed_test_openvpn

Webserver installations: https://sslabs.com 

Manual checks were done on all other equipment such as Cisco routers.

What should you do?

It's possible that you use the same password across multiple services, if your sharing a password with your VPNSecure account with a vulnerable website  we suggest that you login to your account and update your password, once you update your password if your using our OpenVPN service your keys will automatically regenerate with the new password.

You can see a list of top 1000 websites affected at the below link

https://zmap.io/heartbleed/