Home' Australian Pharmacist : Australian Pharmacist June 2014 Contents Australian Pharmacist June 2014 I ©Pharmaceutical Society of Australia Ltd.
The Heartbleed incident recently received much media coverage.
What does it all mean, and should we actually have listened to those
U2 lyrics back in 2000?
A bleeding bug
Heartbleed is a name that was given to
a bug in a particular piece of security
software code that is used extensively
across the internet. The software is open
source and is specifically used in the
layer of software involved in the securing
of messages whilst in transport across
the internet. The specific section of the
software that had the bug was to do with
keeping a secure connection open and
alive without having to reconnect each
time, and this was done with a heartbeat.
An issue with the heartbeat was somehow
subsequently termed a Heartbleed.
The bleeding source
Open source software is computer
software freely available for use by
anyone, and includes the actual source
code that was created by the developers.
It has obvious cost savings, but also means
that potential useful pieces of software
code can be used by numerous people to
do similar tasks. High-profile examples of
open source code are the Linux operating
system, the Mozilla Firefox internet
browser, and more recently the software
involved in the Heartbleed issue.
The bleeding details
The open source software involved
in the Heartbleed issue is OpenSSL.
Dropping into the technical details,
this software is one way to implement
secure communications such as SSL
(Secure Sockets Layer) and TLS (Transport
Layer Security), often used in secure
web servers. OpenSSL is also used
widely in email and web transactions.
The vulnerability essentially allowed
anyone to access the contents of memory
of affected computers which would
often contain information to be able to
unlock communications to and from this
computer (both previous and future).
Unfortunately this access could be done
without anyone knowing or without trace
that security had been compromised.
The best description of the bug was in
a four-section comic (put ‘Heartbleed
comic’ into your favourite search engine),
but essentially goes like this: user says to
server ‘Are you still there? If so, reply with
“potato” with 6 letters’. The server would
respond with the word ‘potato’. The bug
meant that the user could also ask ‘Are
you still there? If so, reply with “hat” with
500 letters’, and the server would respond
with “hat” plus 497 extra characters from
its memory. These extra characters would
potentially contain the keys or even
passwords used in secure communication.
A bleeding long time
The version of OpenSSL with the
vulnerability was released in 2012 and the
particular feature containing the bug was
turned on by default. The vulnerability
was discovered concurrently by someone
at Google Security and also a team at
Codenomicon that christened the bug
with its name, set up a Heartbleed website
and designed the bug’s logo (yes, really!).
Only computers using OpenSSL were
affected by Heartbleed, and even then
only those using the default heartbeat
settings were affected. Whilst the
Slow down my bleeding
BY JASON BRATUSKINS, MPS
Jason Bratuskins is a practising community pharmacy
proprietor with an enthusiastic interest in the
application of IT to day-to-day pharmacy. He also
works in the pharmacy IT industry on a number of
cutting-edge eHealth projects for Fred IT Group.
He can be contacted via email at: cyberpharm@
issue had widespread coverage across
the internet world, a large number of
computers were not affected due to
either having tight security protocols or
using other implementations of this part
of internet security (such as those on
Microsoft platforms). The vulnerability
affected some high profile sites such as
Instagram, Pinterest, Yahoo, LastPass,
Minecraft and sections of Google
Calcium sodium alginate for
The internet world moved quickly once
Heartbleed became public. A new version
of OpenSSL was released that fixed
this bug, and many companies either
implemented the fix if they used OpenSSL,
or reassured customers that they had not
been affected. The speed at which the fix
was applied meant that any major security
breaches had potentially been averted,
although the full extent of any breaches
will never really be known.
The bleeding lessons
If nothing else, Heartbleed has heightened
the role of open source software in
security, and has forced internet software
developers to re-look at their code to see
if they can tighten security. The consistent
advice throughout the entire event is for
users to change their passwords used over
the internet, and to use strong passwords.
It reinforces the need to use a password
manager, particularly one that allows
you to generate strong passwords and
(for practicality’s sake) allow access to the
password store over the internet and from
mobile devices. I have previously written
about Roboform and still use this as my
primary password manager and also use
LastPass, both of which have impressive
features and are very easy to use. Now,
back to that U2 song...
Links Archive Australian Pharmacist May 2014 Australian Pharmacist July 2014 Navigation Previous Page Next Page