I don’t think I’ve ever seen the reaction to an Internet security problem like the reaction I’m seeing with the Heartbleed bug. I expected to get email messages from security experts, but not the volume that has been coming in. Then I logged on to Facebook, and my feed was in pandemonium. People are totally freaked out by the news of this vulnerability, but I’m not sure which concerns them more: That their personal information may be compromised or that they are going to have to change a lot of passwords.
Let’s take a deep breath and get some points straight. I reached out to a number of experts to get their insights into this issue.
First, we should all take this very seriously. For those who may not understand what the Heartbleed bug is, the Heartbleed bug website explains it clearly:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Amit Sethi, technical manager for Cigital, told me in an email that Heartbleed is one of the worst vulnerabilities in the history of the Web, adding:
It has been present in OpenSSL for over two years, during which time it has made it into a lot of software. Unlike many other vulnerabilities in SSL implementations that we have heard about in recent years, this one does not require the attacker to be positioned between your computer and the server. The attacker can go directly to the server and get any information that you recently exchanged with it over a secure channel. On the positive side, high-profile websites have been addressing the issue very quickly either by fixing it or by taking down their applications while they create a mitigation plan. On the negative side, we may never know the full extent of the information that might have been stolen. We will likely see various attacks that use the stolen information in the days and weeks to come.
Wait a second. This has been present for two years? Then why are we in a panic about it now?
Because, according to Richard Westmoreland, level III security analyst at SilverSky, it hasn’t been actually active for two years. Just as with many exploits, they exist for long periods of time before they’re discovered. It was not discovered and reported to the public until three days ago.
Westmoreland also added that the reason for the panicked reaction is due to the exposure:
Vulnerable versions of OpenSSL account for half a million SSL certificates, of which many are assigned to some of the most popular sites such as Yahoo, Google, Dropbox, Pinterest, Github, Twitter, Intuit, and GoDaddy. Due to the way the exploit works, there is almost no sign of its attempts or successes in Web server logs so it is hard to gauge its use prior to the disclosure.
What about your company? Have you been affected by Heartbleed? Dodi Glenn, senior director of security intelligence and research labs for ThreatTrack Security, advised that businesses need to make sure that if they are using OpenSSL on the network, they aren't using one of the vulnerable versions (and that includes if you use Linux), adding:
If a server administrator is running 1.0.1 or 1.0.2-beta of OpenSSL, they should upgrade as soon as possible. The vulnerability has been fixed in OpenSSL 1.0.1g, however, if they cannot upgrade to the patched version, they can disable Heartbeat support, which is where the vulnerability exists. If a company has been running with one of the vulnerable versions of OpenSSL for a decent amount of time, they should assume that their certificates and keys have been compromised.
Glenn also provided a list of tools available to scan for vulnerable versions of SSL:
A couple of websites have cropped up that allow users to check whether or not a site is vulnerable to Heartbleed (CVE-2014-0160).
I’m sure more news about this bug will be coming soon. Stay tuned, and don’t change your passwords until you’ve verified that the SSL on the site has been fixed.