Heartbleed: A Note from LookoutDownload Case Study
Remember that time a vulnerability left two-thirds of the Internet wide open to attack? Yeah, that happened Monday. The issue is called Heartbleed, a critical bug in “OpenSSL” -- software which roughly two thirds of the Internet uses to keep connections secure. Lookout’s main website was not affected by the vulnerability, however, some of Lookout’s other Internet-facing infrastructure was. We took care to protect our users as soon as possible, patching our systems within hours of the bug’s public release. In short, Lookout users do not need to worry about this flaw, as they are already protected.
What is Heartbleed?
Heartbleed is a software flaw in the OpenSSL “Heartbeat” function that helps keep secure connections alive. This function was found to be vulnerable to manipulation in a way that allows an attacker to steal up to 64K of data at a time from the active memory of affected systems. The bug, found by researchers from Codenomicon and Google, and filed with the following reference number - CVE-2014-0160, impacts any infrastructure that includes the affected versions of OpenSSL.
Why is this so bad?
What the researchers found is that when you grab up to 64K of memory from an affected server or client, you are likely to pick up a lot of highly sensitive things. What is most concerning is the fact that the bug often exposed "secret keys" for SSL certificates associated with that affected system. Once those keys are exposed, the certificate is vulnerable to tampering and can no longer be trusted. As a result not only does OpenSSL need to be patched but approximately two thirds of the internet will need to change its SSL certificates as a precautionary measure. Complete technical details of exactly how this bug works can be found in this blog.
What should users do to protect themselves?
As mentioned above you’re completely safe when you visit the Lookout website or use any of our mobile services -- our web infrastructure was not impacted by the flaw, and we have already patched all other vulnerable systems. As a precautionary measure we have also replaced all SSL certificates which may have been exposed by this flaw. Separately, we strongly advise anyone responsible for Internet infrastructure check whether an update has been released for their systems and to update them as quickly as possible.