OpenSSL (Secure Sockets Layer) is open-source technology, used for many websites, to ensure secure Internet communications via encryption.
A vulnerability — Heartbleed — has been discovered in OpenSSL, that could allow the exposure of sensitive information including passwords, financial data and other records.
On April 10, 2014, the Threat Based Cyber Alert Level was evaluated and raised to Orange (High) from Blue (Guarded) due to the "Heartbleed" vulnerability identified in OpenSSL. At this level, malicious activity has been identified with potential for a major level of disruption. In addition, there are credible reports that the OpenSSL vulnerability is currently being exploited to obtain sensitive data including private keys, user credentials and authentication cookies from vulnerable servers.
The OpenSSL vulnerability could allow an attacker to read sensitive data in memory on server and client machines.
It is recommended that organizations take the following steps immediately:
Patch all vulnerable OpenSSL systems.
Revoke and reissue certificates that use OpenSSL/TLS.
Organizations should force user password changes for all impacted accounts.
Be alert for phishing scams. Reports of phishing campaigns related to this vulnerability have been reported attempting to lure victims to credential-stealing sites. If you need to change your password, type the URL of the organization in a browser and do not click on links in emails that ask you to reset your passwords.
Another line of defense includes user awareness training regarding the threats posed by attachments and hypertext links contained in emails especially from untrusted sources.
Home Users: What should you do?
- Check to see if any websites you have accounts on are vulnerable:
"Heartbleed Hit List" (http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/)
a listing of some popular websites and their vulnerability status
"Heartbleed Test" (http://filippo.io/Heartbleed/)
a tool for checking status of individual websites
- Change passwords for all online accounts and e-mail, giving first priority to critical accounts.
- Be alert for phishing scams. CIS received reports of phishing campaigns related to this vulnerability, attempting to lure victims to credential-stealing sites. If you need to change your password, type the URL of the organization in a browser and do not click on links in emails that ask you to reset your passwords.