Heartbleed Vulnerability
– Chris Stoneff, Director of Professional Services, Lieberman Software, says:
Just when the general public seemed to take the Internet for granted as a secure means to conduct financial transactions and communicate personal data, along comes the Heartbleed Vulnerability.
This OpenSSL vulnerability, discovered earlier this week, is already being called potentially the mostsignificant breach in Internet security to date. By some estimates, Heartbleed affects two-thirds of all servers on the public Internet.
While a number of affected sites have already been patched against Heartbleed, some security pundits expect the vulnerability to persist for years in networking hardware, home automation systems, and critical industrial-control systems that are outside the public view and rarely updated.
As for the OpenSSL technology that provides encryption for devices that connect to the Internet, the software is developed and maintained entirely by four European programmers. In essence, their software is what secures information in transit to and from most websites. This is how you get the HTTPS protocol on web pages, and that little lock icon to signify that the site is secure. Well, at least that’s what we thought was happening.
A basic explanation of the Heartbleed bug is that servers (typically configured in high availability mode) maintain a heartbeat to let other systems know they are alive and well. The Heartbeat attack essentially gets the server heartbeat mechanism to reply to the heartbeat request with a lot more information than the basic “I am alive” message. This can allow attackers to retrieve sensitive data like passwords, credit card information, social security numbers and really anything else in system memory at the time.
We’ll leave it for others to debate the affect that Heartblead could have on the public’s trust in the Internet as a secure means of communication. Meanwhile, we’ll move on to steps you can take now to protect yourself from the vulnerability.
- Patch, patch, patch. This one is obvious, and fortunately a patch that fixes the Heartbleed vulnerability is already widely available. In fact, pretty much every major Linux distribution has issued a patch. Unfortunately, while the patch itself might be simple to implement, there are potentially more complex issues around the digital certificates that may or may not be involved. But it’s a good idea to patch your systems before changing passwords. Which brings me to…
- Change passwords right now. For internal items and app to app systems, change all passwords immediately (and frequently) so that any compromised logins become useless. In particular, update all account passwords and service account credentials on any system – Linux, UNIX, Solaris, Windows running a third party OpenSSL based application, or network device that has utilized OpenSSL.
- Tell end-users. Suggest that employees at your company change their passwords, just in case.
Also, if you want a handy little tool that lists websites that are open to the Heartbleed vulnerability, have a look at this site from our technology partner Qualys.
And finally, want a silver lining amidst all this doom and gloom? Take this crisis as an opportunity to shore up your password security, so you’ll be far ahead when the next big incident invariably arises. By this I mean deploy complex, unique and frequently changing passwords across all systems on your network. But don’t try to do it yourself. Trust me, you’ll never find them all. Instead, use an enterprise-level privileged identity management solution and let it do the job for you automatically.
