| Researchers April 9, 2014


April 9, 2014

Heartbleed: A Note from Lookout

By Lookout

Remember that time a vulnerability left two-thirds of the Internet wide open to attack? Yeah, that happened Monday. The issue is called Heartbleed, a critical bug in “OpenSSL” -- software which roughly two thirds of the Internet uses to keep connections secure. Lookout’s main website was not affected by the vulnerability, however, some of Lookout’s other Internet-facing infrastructure was. We took care to protect our users as soon as possible, patching our systems within hours of the bug’s public release. In short, Lookout users do not need to worry about this flaw, as they are already protected.

What is Heartbleed?

Heartbleed is a software flaw in the OpenSSL “Heartbeat” function that helps keep secure connections alive. This function was found to be vulnerable to manipulation in a way that allows an attacker to steal up to 64K of data at a time from the active memory of affected systems. The bug, found by researchers from Codenomicon and Google, and filed with the following reference number - CVE-2014-0160, impacts any infrastructure that includes the affected versions of OpenSSL.

Why is this so bad?

What the researchers found is that when you grab up to 64K of memory from an affected server or client, you are likely to pick up a lot of highly sensitive things. What is most concerning is the fact that the bug often exposed "secret keys" for SSL certificates associated with that affected system. Once those keys are exposed, the certificate is vulnerable to tampering and can no longer be trusted. As a result not only does OpenSSL need to be patched but approximately two thirds of the internet will need to change its SSL certificates as a precautionary measure. Complete technical details of exactly how this bug works can be found in this blog.

What should users do to protect themselves?

As mentioned above you’re completely safe when you visit the Lookout website or use any of our mobile services -- our web infrastructure was not impacted by the flaw, and we have already patched all other vulnerable systems. As a precautionary measure we have also replaced all SSL certificates which may have been exposed by this flaw. Separately, we strongly advise anyone responsible for Internet infrastructure check whether an update has been released for their systems and to update them as quickly as possible.

Author

Lookout

Leave a comment

Submit


79 comments


Amandeep says:

November 16, 2015 at 10:15 am

SSL is bugged. What is meaning. How can upgrade amdroid I ball mobile cobalt 4


Patricia Belyeu says:

January 12, 2015 at 5:37 pm

I have s5,& can't update phone. AT&T is responsible for my updates!


Israel says:

August 15, 2014 at 10:27 pm

What Am I supposed to do after being " UNNPLUGGED" FOR ALMOST 10 YEARS, I NEED HELP AND E VERY ONE WANTS MONEY. .I'm looking for genuine help from the heart cause I can't even pay my rent and this is my life line....


chad says:

July 23, 2014 at 11:36 am

Zte now has a fix on their site go under support then updates


Mikea says:

August 11, 2016 at 11:57 pm

What's up with ZTE is there a way to change SIM cards? Also I have a 4.3 model so that's old model for updating isn't it? Is it alright to install Microsoft App Store and use Microsoft. Apps?


Aiman says:

July 10, 2014 at 6:46 pm

The safety of my smartphone is affected. My apps are very slow, my email don't open and etc.


+ Load more comments