16 Apr 2014

Heartbleed - Did Google keep it a secret?

The Heartbleed security bug revealed last week has had wide reaching effects all over the internet – but those who discovered the flaw in encryption protocol OpenSSL did not rush to inform the public, the government or even OpenSSL. It has been revealed that Google Security Researcher Neel Mehta discovered the glitch on March 21st – if not before – after which Google proceeded to commit a patch for the flaw which was systematically applied to Google services and servers across the globe. It is not until Tuesday April 1st that Google Security notifies OpenSSL about the flaw it has found, which later becomes known as “Heartbleed”.

Brendan Sasso wrote for the National Journal that “Companies often wait to publicize a security flaw so they can have time to patch their own services. But keeping the bug secret from the US government could have left federal systems vulnerable to hackers.” This is similarly true of governments across the globe – Canadian federal tax agency data has been compromised as a result.  While it seems no government data was effected here in Australia, Fairfax is now reporting that financial websites run by GE Money were vulnerable to Heartbleed, including the Myer Visa Card and Myer Card portals, as well as Coles Mastercard.

Knowledge is power – and what you know about you can protect yourself from. Brennan IT has patched our internal systems in response to the identification of this bug and as part of standard operations, we run regular vulnerability scans.