heartbleed

This week saw the internet, Twitterverse and my inbox explode as the full scale of the Heartbleed flaw come to light.

It was on Tuesday morning when I first became aware of the issue and since then I have heard a mixed bag of thoughts on it, and had the chance to read varying stories that offer a combination of FUD, decent analysis and advice on changing passwords prematurely.

In case you took the week off, managed to avoid all the news and have been completely unaware of the story (it can be done), then Heartbleed, also known as the OpenSSL flaw or to be completely technical, CVE-2014-0160, affects a website’s OpenSSL library and the major threat is that many websites have deployed this in their login process. This means that if the software is vulnerable, so is your login and therefore if an attacker has intercepted the flaw, they will have captured your login details.

According to a blog by Zscaler’s Michael Sutton: “Heartbleed impacts the most common implementation of SSL/TLS (OpenSSL), which is used on the majority of web servers. In fact, according to Netcraft, in April 2014, Apache and nginx, two of the most popular web servers that both include vulnerable Open SSL implementations, account for 66 per cent of active web servers.”

Advice began to flow in, advising users to change their passwords. However the stance we took on IT Security Guru was that this was premature if the flaw exists, as the new password users have securely crafted and remembered could be intercepted too.

As for who is affected, the company names roll off like a who’s who in technology: Cisco, Juniper, BlackBerry, Apple, Google and Facebook. There is a full list at mashable.

Does it seem like a big deal? Depends on who you listen to. Security expert Bruce Schneier called it a “catastrophic bug” and “on the scale of 1 to 10, this is an 11”, TK Keanini, CTO of Lancope, said: “This is one of the most major vulnerabilities to happen this year and it will be with us for quite some time as everyone who is vulnerable will need to remediate”, while Edward Felten, a computer security expert at Princeton University, told the New York Times that “Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security.”

One of the areas that interested me was the impact upon open source software. Philip Lieberman, CEO of Lieberman Software called it “really serious and a big blow to the credibility of open source”, while Mark Brown, director of information security at EY, said: “This vulnerability is a major blow for security on the internet and for open source development.The idea behind open source is that issues like these are resolved by the developer community at an early stage. A bug like this should never have got this far and it fundamentally undermines trust in the system.”

The story has achieved huge amounts of press attention, not just from the technical press, but from the nationals around the world. Perhaps one of the most interesting was in the Sydney Morning Herald, who managed to speak to Robin Seggelmann, who was outed as the man whose coding mistake, left servers vulnerable.

He said the bug was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago, “so the error made its way from the development branch into the released version.”

So we know about how many are impacted, and there are reports that the flaw is being impacted, with national CERTs issuing advice on it, while rumours have also circulated that phishing messages regarding it have also been detected. Not really surprising while legitimate emails appear encouraging users to change their passwords.

Dr. Mike Lloyd, CTO of RedSeal, said that vulnerabilities “are nothing new” and while security teams everywhere are scrambling, “some scrambles are more significant than others”. He said: “All these questions are hard to answer when you’re already in crisis. What you need is automation – not just vulnerability scanning (which can find those unpatched machines), but also a pre-built map, and a way to automate and speed up the query for ‘Where are these machines suffering from Heartbleed, and what are they exposed to?’ Wise organisations plan for this – we know it’s going to happen again.”

Toyin Adelakun from Sestus advises users is to  if possible, not login to any online accounts if you are not sure if the service provider is still vulnerable. It doesn’t help to change passwords either, because if the service provider is still vulnerable, your credentials could still be leaked. (If you feel you have to login before receiving the all-clear, the only logical risk-containment strategy would be to change passwords frequently — perhaps after each use!)   GoDaddy and BitCoin are supposedly still in the process of patching. Facebook, DropBox, Gmail and Yahoo claim to have fixed the vulnerability. Apple, Amazon, Ebay, Hotmail and LinkedIn claim to have not had the vulnerability in the first place.

For the future, a blog by Trustwave said that as this has been present for two years, it’s likely that sophisticated attackers have identified the bug and widely exploited it. “Organisations will be hard pressed, if not unable, to glean whether their SSL certificate is compromised until an attacker is caught performing a man-in-the-middle attack,” said John Miller, security research manager at Trustwave. “Every server that is or was vulnerable to the Heartbleed attack is potentially compromised. As a result, certificate owners must act to protect their users and their reputations.”

So what can you do to protect yourself? I’d suggest looking at the great website built by

Codenomicon who discovered the flaw, reading the excellent analysis by Australian researcher Troy Hunt and changing your password, once you have figured out that the website has been fixed.

If you are managing servers, take the time to apply fixes and get yourself secure again. Of course if you really want to make a difference, why not make a donation to the OpenSSL foundation, and make sure things like this do not get repeated.

 

Dan Raywood is editor of The IT Security Guru

Advertisements