- Security TWENTY
- Women in Security
When a cybersecurity industry report was published about a vulnerability known as “Heartbleed” – affecting websites, email, and instant messaging – that can potentially impact internet logins and personal information online by undermining the encryption process, the Department of Homeland Security’s US-Computer Emergency Readiness Team (US-CERT) issued an alert.
Ross Brewer, vice president and managing director for international markets at LogRhythm, commented: “I’m sure many of us were anticipating that this would happen at some point, and if the Heartbleed bug is being exploited in the US, it won’t be long before reports of a similar nature are made in the UK. The vulnerability is technically referred to as a “Buffer Over Read” in that once the exploit is successful, 64k of the server’s memory ‘leaks’ and can then be viewed by an unauthorised party.
“This is clearly a huge concern as sensitive data within a server’s memory could include anything from usernames and passwords to account numbers and private keys. If this information gets into the wrong hands, a lot of people could be affected. If that wasn’t bad enough, exploiting this vulnerability is incredibly easy and we aren’t just looking at the ‘big boy’ hackers, but many unskilled upstarts will also be trying their luck.
“Now that we are entering the exploitation scenario, every single businesses needs to ensure that they are monitoring every single piece of activity that takes place on their networks continuously and in real-time. If secret keys are stolen, for example, an attacker could piggy-back any traffic destined for the application and snoop on private and sensitive application interactions – such as financial transactions. The only way to remediate this is by having the ability to identity abnormal behavior on the network through monitoring. We could be about to witness data breaches on a massive scale and organisations must be vigilant – both to protect themselves and their customers.”
The DHS in the US advises:
Many commonly used websites are taking steps to ensure they are not affected by this vulnerability and letting the public know. Once you know the website is secure, change your passwords.
Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages
After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.
And Chris Brenton, Director of Security at Dyn, writes about the Heartbleed security bug.
Last Monday, a new vulnerability in OpenSSL version 1.0.1 called “Heartbleed” was announced. This vulnerability is of particular concern as it could permit a remote attacker to extract up to 64 KB of information from any remote server running OpenSSL software. Unfortunately, this data leakage could include login credentials, private keys and other sensitive information.
Based on the software’s release history, this vulnerability has existed for approximately two years. Further, the attack leaves behind no tell tale log signatures to identify that an attack has taken place or what sensitive information may have been leaked. In many ways, this vulnerability represents the perfect storm in Internet security, as OpenSSL is considered the most popular way to secure web browser sessions.
The best way to protect yourself is to reset the passwords on all of your Internet-based accounts that are accessed via a web browser. First, however, the company managing the server needs to take steps to correct the issue. If they have not yet properly corrected the problem on their end, logging into your account could actually put you at additional risk, as tools to exploit this flaw are now freely available.
Here’s how to check to see if it is safe to reset your password:
Check to see if the company has posted any information regarding their response to “Heartbleed” or “CVE-2014-0160”. This could be via a blog entry, news feed, or email distribution, varying depending on the organization. What you want to see is that either they were never vulnerable because they don’t use OpenSSL, or that they have both patched their server and cycled the private key used for SSL/TLS communications.
If the vendor was never vulnerable, there is no need to take additional steps. If the vendor has patched and cycled their private keys, you should immediately change your password. If the vendor has not publicly disclosed their response, you’ll need to do a bit of research.
Does The Site Run OpenSSL?
Most non-Windows systems run OpenSSL to secure web server traffic. So if you can identify the operating system used by the web server, you can get a pretty accurate read on whether the site had to deal with this vulnerability. Netcraft’s Site Report is a great tool for identifying the technology behind a given Web server. Again, if it’s a Windows based server, then you should be safe. If it’s a Linux or BSD based system, you should do additional testing.
Is The Site Patched?
It can be difficult to identify what version of OpenSSL is running on a remote system. Luckily, there are public websites that can quickly identify if a specific web server is vulnerable to Heartbleed. You can leverage one of these tools to test your remote vendor, but just ensure that you point it at the server you use to login to the service. This may not necessarily be the company’s main website.
Has The Site Deployed a New Private Key?
Because Heartbleed has been in the wild for so long, it’s impossible to tell what information nefarious actors have been able to retrieve. If they have been able to grab a copy of the server’s private key, they will be able to decrypt all traffic going to and from that server even after patches are applied. A complete fix requires the company managing the site to regenerate the server’s digital certificate.
This is where things get a bit complex as it’s possible to update a private key without creating a new digital certificate. So you can’t just look at the digital certificate and see if it has been issued since April 7th.
So your only option is to trust the vendor when they identify whether or not they have issued new private keys. Typically, if they have taken this additional security precaution, they are going to convey this to their customers. If they don’t mention it, chances are they did not take this additional step.
So what are the risks if the vendor has not cycled their private key? It can be argued that they are pretty minimal. Someone would have had to have attacked the server prior to the patch being installed, and included in the random information extracted from the server would need to be a copy of the private key. So from a risk perspective, this could be considered possible, but not likely. At Dyn, we decided to err on the side of caution by cycling our private keys. This way, there is no question that we are safe moving forward.
If your vendor passes all of the above checks, you can now safely login to the system and change your password. This should secure your account from this point forward.