HeartbleedLast week, security researchers revealed details about a dangerous security flaw known as Heartbleed. The security flaw enables cybercriminals to access and steal data from compromised versions of OpenSSL, which is used to secure communications on many major websites on the Internet.

Since the vulnerability was disclosed, there’s been a lot of concern regarding what information can be stolen when the bug is exploited. When Security Watch conducted research to learn more, the results were alarming. According to researchers, a surprising amount of information, including login credentials and personal information, can be stolen by exploiting Heartbleed.

In addition, hackers may be able to steal the server’s private key, which is used to verify the following:

  • The device is connecting to a real website.
  • The information transferred is encrypted.

If the security flaw allows hackers to steal the server’s private key, the consequences are seriously concerning. Cybercriminals would be able to set up fake websites to intercept personal data, as well as decrypt encrypted network traffic.

Security Watch Puts Heartbleed to the Test!

Security Watch researchers were curious to see what type of information could be stolen by exploiting Heartbleed with a server running a vulnerable version of OpenSSL. During the test, researchers received information from the vulnerable server’s memory. After running tests for the entire day, Security Watch managed to collect a lot of information, including usernames, passwords, and session IDs.

According to one of the researchers, credentials can be stolen very easily and quickly, however, the request had to hit the server at the same time as someone logs in or interacts with the website, in order to steal personal information.

During a second test, researchers attempted to steal the private key from a vulnerable server. While it took hours and consumed a ton of bandwidth, the researchers were eventually successful at obtaining the private key.

For more details on Security Watch’s Test, visit http://securitywatch.pcmag.com/security/322691-heartbleed-is-scarily-easy-to-exploit. To learn more about Heartbleed, give us a call at (415) 294-5250 or send us an email at info@ontimetech.com. On Time Tech can help you informed regarding the latest security threats and how to protect your business.

Author: Lance Stone, Date: 2014-04-24