Heartbleed Vulnerability: What it Means for your Company and for You

It’s been a few days since the Heartbleed OpenSSL vulnerability was announced and I’m sure you’ve read some media coverage. Let’s cut to the chase on what you should do:

For your Company

  1. Patch any systems using OpenSSL 1.0.1 with version 1.0.1g
  2. Revoke certificates on impacted systems
  3. Issue new certificates for newly created keys
  4. Install new certificates on systems
  5. Change passwords for accounts on such systems
  6. Check with vendors to see if their software is vulnerable
  7. Follow vendor recommendations to update the software

For you Personally

  1. Check websites to see if they were vulnerable to this vulnerability –  most organizations are posting some reference to this. You can also check this list provided by Mashable.
  2. Change your password on those vulnerable websites once they have fixed the flaw. Note it’s key this is done after the flaw is removed.

If you want some additional context on why Heartbleed is different…

I’ve been in information security going back to the 90s and there are a few landmark security events I will never forget. Massive exploits like Melissa, Code Red, and Nimda are seared in my memory after cleaning up, responding to, or analyzing affected systems. Then in the later 00s, the world shifted to the targeted attack where exploits weren’t as widespread or well known, but more damaging: Aurora, Stuxnet, APT1. Ignorance is bliss, until the damage is done.

The OpenSSL Heartbleed vulnerability is a game changer and landmark moment in computer security because it is the first time the world is rushing to address a vulnerability (not a virus) en mass.

What steps are you taking?

What steps are you taking?

Heartbleed is a vulnerability (weakness in OpenSSL), not a virus, and yet there is as much buzz from tech and mainstream media as any mega viruses of the past. This is because websites and software using OpenSSL could be exploited and you wouldn’t even know!

In simple terms, one could send a web server running OpenSSL a message and get back data from memory on that web server. What information might be in that memory?

  • Encryption keys
  • Passwords
  • Account names

Oh, and did I mention that you can’t detect if you were exploited?

So, what web sites, products and technologies use OpenSSL?

  • Major websites such as Facebook, Google, and Yahoo
  • Email services, including Gmail and Yahoo Mail
  • File share services, such as Dropbox and Box
  • Countless variants of enterprise software
  • Older versions of Android
  • Routers and other embedded systems

Bottom line: OpenSSL is used all over the place and affects lots of different systems.

Mitigation

Let’s go deeper on the mitigation and why patching alone is not enough. Here is where it gets really ugly. There are multiple steps to ensure full protection.

  1. Patch vulnerable systems: Anything running OpenSSL should be patched. This includes websites, 3rd party software, cloud systems, and even Android devices. Patching closes the weakness and prevents information from being stolen from systems running the vulnerable version, but unlike other vulnerabilities, you may still be exposed after patching.
  2. Revoke, issue, and install new certificates: Yes this is a painful step, but if a hacker were able to compromise the encryption keys with the vulnerable OpenSSL, you could be at risk of having sessions being decrypted.
  3. Change passwords for accounts on compromised systems: Again this may feel extreme, but account passwords could have been discovered with the vulnerability exploit.

Reality Check

So, how bad is this really? On one hand, the prevalence of OpenSSL in software and websites means there are a lot of ways to compromise systems, sessions, and accounts. This is really bad when you consider the exploit is considered difficult to detect.

That said, the likelihood of your account and password being discovered is low. Take one of the big websites like Yahoo that has millions of accounts. It’s possible your information might not have been in the random memory that was returned when OpenSSL was exploited. Websites are probably not going to force you to change your password because of the overload on authentication systems and the potential fear that might induce. Nevertheless, let’s everyone should use this as a reason to change your passwords that you haven’t changed (let’s be honest this is all of them).

Some are recommending changing account names too – as those could have been exposed. This is a painful step and probably reserved for the most security paranoid.

So what should you definitely do vs consider doing?

  • Patch vulnerable software: definitely
  • Update certificates on affected systems: definitely
  • Check vendors and websites to see if they are vulnerable and fixed: definitely
  • Change passwords for affected websites and systems: yes, it hurts, but do it
  • Change your account names: good idea, but probably not practical
  • Bonus: Turn on two-factor authentication on your web services if they offer it

Resources

There are loads of websites with recommendations and information. I have seen conflicting information so check with the website \ vendor for the most authoritative response. Here are some of the better ones:

Small Businesses Need to Watch their Security Too

There’s an old story about two friends hiking in the woods that happen upon a hungry mountain lion. The friends turn to run with the mountain lion hot on their heels. One friend turns to the other and states the obvious fact that there is no way they are going to out run a mountain lion.  The other friend smiles and says, “I don’t have to out run the mountain lion, I just have to out run you”.

Everyone knows that cyber crime is a growing problem among American businesses. However, there’s a misconception that bigger businesses are a juicier target and have more risk of being attacked. This couldn’t be more wrong.

Most small businesses are less sophisticated in their security defenses. They are opting for free AV software and generally don’t employ security policies that seem restrictive. This is natural, since most small businesses are more focused on surviving an executing the business than investing in security. The problem is that to a predator looking for a meal, small businesses are easy prey.

Since most small businesses are more focused on surviving they become easy prey for hackers and cyber thieves.

A recent article in the Wall Street Journal points out the fallacies of depending solely on a traditional definition based approach to protecting endpoints and your business from attack. In the article a specific small company thought they weren’t a target because they only had 100 employees and didn’t make enough money to draw the attention of cyber-thieves. Unfortunately out this company was taken for $1.2 million by an enterprising hacker with a new, zero-day vulnerability to exploit. His new vulnerability wasn’t detected by anti-virus vendors that the company was running. These zero day threats are going to become more of the norm.

If you’re a small business it’s time to start running faster and to look like a less juicy target. Look for ways to augment your anti-virus client to include things such as application whitelisting and other more simple, proactive controls to combat zero day threats, and deal with today’s changing cybercrime landscape.

Doing small security things like that could save your business.