Heartbleed OpenSSL Security Flaw Puts Corporate Cloud Data at Risk

Google (GOOG) and Finnish security firm Codenomicon released details this week about Heartbleed, a major online security flaw that affects OpenSSL Web servers. Heartbleed allows cybercriminals to access website data and visitors’ personal information, including credit cards, e-mails and passwords that are stored in the cloud.

Heartbleed leaves no record in an attacked Web server’s logs, which makes it impossible to tell exactly how many websites may have been exploited by it. Heartbleed went undetected for more than two years, and it could have affected thousands of OpenSSL Web servers across the globe. The U.S. Department of Homeland Security yesterday warned businesses about Heartbleed and asked them to review their Web servers to find out if they are using infected versions of OpenSSL.

According to The Economist, up to two-thirds of the world’s websites are vulnerable to Heartbleed attacks. While OpenSSL has been available since March 2012, it contained a serious coding error that allowed a computer at one end of an encrypted link to send a signal to the computer at the other end of it to check that it is still online. Google and Codenomicon, however, found that hackers could exploit this coding error, duplicate its signal and access an OpenSSL Web server’s memory.

The websites that currently are or might have once been vulnerable to Heartbleed attacks include:

Google and Codenomicon launched a dedicated Heartbleed website that provides a complete breakdown of the security bug. To stop Heartbleed, Google and Codenomicon offered the following recommendation:

“As long as the vulnerable version of OpenSSL is in use, it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors [and] independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”

A recent survey conducted by PerspecSys at the RSA Conference provided more insight into how businesses view cloud security. Meanwhile, numerous cloud security solutions are available for businesses, including Skyfence‘s Cloud Gateway and Fujitsu‘s Cloud End User Protect.