Heartbleed Overview
In the last few days, news of the OpenSSL Vulnerability known as Heartbleed has been picked up by the mainstream media which is prompting a lot of questions. Here’s a brief explanation of the issue, its context, and some suggestions on how to mitigate your risks.
What is Heartbleed?
This was a name given to recently publicized vulnerability in OpenSSL that is tracked as CVE-2014-0160 in the National Vulnerability Database. OpenSSL is an open source cryptographic library that is used by the majority of web servers to secure web traffic. Each time you go to a site that starts with https, your web browser is establishing an encrypted connection with the remote web server. The purpose of this encrypted connection is to ensure that the contents of the session can’t be intercepted or manipulated by anyone that has access to the data in transit (or a stored copy of it).
OpenSSL contains a heartbeat mechanism is a process for each side of the connection to determine that the other side is still present. The name Heartbleed was chosen because a vulnerability in this mechanism allows an attacker to gain access to and remotely read a portion of the servers memory, thus bleeding out potentially sensitive information.
What type of information is at risk?
The vulnerability allows an unauthenticated remote attacker to gain access to a random 64K block of the server’s memory without leaving an indicator of compromise. This means that anyone with an internet connection can attack any vulnerable server without leaving a record of the attack. Repeated attacks of the same web server are likely to provide different 64K chunks of memory, so if you keep reading from a web server’s memory, you’re likely to find a great deal information that will undermine the security of that server and its connections. The information that we’re the most concerned about is the private encryption keys that are used to establish “supposedly” secure communication channels and passwords, both which are held in RAM on all web servers. We care about the private encryption keys because as the name suggests, they must be kept private for this type of cryptography to work. We care about passwords because 1) they could be system passwords and enable an attacker to gain further access to the server or 2) because they are user / customer account passwords and those could be used to gain access to information not contained in memory on the web server.
What should you do now?
For the User – If you are primarily a consumer of technology and not responsible for maintaining any IT infrastructure, we suggest you take a few minutes to make sure you’re following good password policies as that is the best countermeasure you have to minimize the risk of this security issue. This of course is in addition to the already standard practices of running a reputable (and up to date) anti-virus program, following vendor patch recommendations, and maintaining reliable backups of your data. (you do all of those things already… right?)
There is a list of popular websites that were found to be vulnerable, but the list only reflects the results obtained at the time of testing. The point here is that the vulnerability has existed for approximately 2 years and it is impossible to know when it was actually first discovered and to what extent it has been used. Our recommendation is that you change your passwords in the near term on any web property that holds information you consider sensitive and that you follow these good password polices.
Good password policies involve selecting passwords that are:
Unique – don’t use the same password for multiple sites and systems. This reduces the risk that one online vendor being compromised will leave your account with another vendor exposed. Also, don’t use the same password for web sites and for your computer. The Heartbleed vulnerability wouldn’t give an attacker access to your computer in itself, but the data obtained could be useful in gaining access to other systems if the account information is the same.
Changed Regularly – We all hate changing our passwords, but it provides an important layer of protection against this type of attack. Some online services are requiring users to reset their passwords as a result of this vulnerability, but don’t assume that you should only change if you have to. It’s probably a good idea to reset your Online Banking passwords in the near term. Since there is some uncertainty about the ability for this vulnerability to be used in reverse (malicious server bleeds information from the browsing computer), it is wise to change your passwords regularly.
Sufficiently Complex – This particular vulnerability does not rely on attacks against weak passwords, but many others do. Passwords that are easily guessed (P@ssword1, 1234, abc123) or based on dictionary words are easily exploited by automated password cracking tools. This could easily lead to your accounts being compromised.
For Businesses and IT Organizations
If you’re responsible for an IT or business organization, you need to make sure that you have assessed and mitigated the risks associated with this vulnerability immediately. If you’re not qualified to do this yourself, hire someone who is. At a minimum, you need to determine if any of your publicly facing servers are using a vulnerable implementation of OpenSSL and then work with the vendor or the responsible system administrator to determine how and when it can be patched.
There are a variety of tools that can be used to determine if a server is vulnerable. The tools located at filippo.io, pentest-tools.com, and www.ssllabs.com are good places to start.
If you determine that you have a vulnerable system, then you need to consider the possible and likely data that has been held in RAM on those systems so you can determine the appropriate course of action. At a minimum, we would suggest re-keying your SSL Certificates and changing the passwords for your privileged accounts. Forcing users to reset their passwords may also be appropriate, but that will depend on the nature of the business and the results of your risk assessment.
An important component about this type of incident response is how we communicate about the issue to our internal and external customers. Take the time to contact them to let them know that you are taking the issue seriously, and let them know what you have and are doing to protect them.
In addition, this type of high impact vulnerability underscores the need to be prepared to react quickly to security threats. A well thought out vulnerability management process and incident response plan should allow you to respond effectively and quickly and this type of scenario. If you have deferred working on those plans, now is a good time to remind senior management the importance of Information Security and improve your security posture.
For more information about this or other IT Security related topics, please contact ContinuityFocus at (800) 399-6085.
References:
http://heartbleed.com/
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/