Imagine walking into your bank with a 1000 post-it notes, handing them to the teller and asking him or her to write down your credit card number for you. In theory, only one post-it note is needed to write down one credit card number. However, since you gave the teller 1000 post-it notes, the teller fills in the rest of the post-it notes with other credit card numbers. This is a gross oversimplification, but hopefully this gives you an idea of the severity of the issue.

With the Heartbleed bug, evildoers can send a maliciously-crafted message ‘heartbeat’  that is only a 1 byte in size to a secure server, but fool the server into thinking that it is any other (larger) size. When the server responds, it fills in the gap with additional data from memory, causing the leak.

Our amazing team of developers at 55 Minutes became aware of the issue as soon as it was made public, and we patched our servers and re-keyed our SSL certificates within a matter of hours. We are now safe and secure from this bug, and we’re happy to report that we score an A+ in our SSL implementation, according to Qualys SSL Labs.

Because the bug doesn’t involve a brute force attack/hack on vulnerable servers, it is virtually impossible to assert if data may have been compromised. We’ll continue to monitor the Heartbleed Bug or any other security-related announcements, and stay on top of any changes required to maintain the utmost security possible in our environment. Monkey Box was previously using a potentially vulnerable version of OpenSSL, and like most providers who quickly remediated the issue, we’ve asked all our users to change their Monkey Box login passwords as soon as possible.

For a fairly simple write-up of the Heartbleed bug, see this explanation. Also, here is a link to CNET, who are keeping track of major websites and their progress in getting things patched. Troy Hunt provides a fairly detailed technical explanation here.

We welcome you to contact us if you have any questions about our security efforts, implementation, or how you may be affected by the bug.

Comments are closed.