DHS announced last week that it had enabled its network defenses across the Executive branch to detect someone trying to use the HeartbleedOpenSSL memory exploit, and in some cases it configured systems to block these attempts, among other steps.
The bug affects communications over OpenSSL, a ubiquitous technology for secure online communications. Without a patch, a computer could ping a server over OpenSSL and get back extra information (up to 64,000 characters) from the server’s memory, which could potentially include user credentials, credit card info and so on. This can be done repeatedly to build up enough volume to comb through.
Additional steps taken by DHS include scanning government networks for the vulnerability, issuing technical alerts and mitigation steps, and engaging with industry partners to discuss the threat. (By now affected agencies should have at the very least updated to secure versions of OpenSSL and reissued certificates for affected applications.)
However, it’s been reported that old certificates should be revoked not just reissued. For now, the Heartbleed bug is a systemic issue bearing ongoing attention and it of course affects more than just websites. For example, Dell only recently released a new version of its SonicWALL app used to connect to corporate systems from home.
