On April 7, 2014, there was a public announcement regarding a new security vulnerability that would affect the entire Internet and the name of the vulnerability was referred to as the “Heartbleed bug”. Security analysts from around the world have described the Heartbleed bug as the most serious Internet security vulnerability to date. According security analysts, Heartbleed is a piece of code that was found in the OpenSSL cryptographic protocol and has been unchecked for approximately the last two years. In short, this vulnerability affects the security of the more common SSL and TLS encryption methods that are used for secure Internet communications. Website Authentication, Email and Instant Messaging, and Virtual Private Networks (VPNs) are a few of the common examples. Heartbleed has also proven to be highly vulnerable in Mac/iOS and Android mobile devices. In fact, all hardware devices, software, and web applications protected by the OpenSSL protocol are considered vulnerable.
The Heartbleed bug allows anyone on the Internet the ability to read the memory of systems protected by the vulnerable OpenSSL software. In plain terms, this bug allows malicious users the ability to exploit the vulnerable systems and gather secret information from Internet Users and Internet Service Providers. This secret information includes, but is not limited to, Secure Session Keys, Usernames and Passwords for VPNs and Secure Website logins. The Heartbleed bug also allows malicious users the ability to gather the actual content that is transferred during the communication between the Service Provider and the Internet User without being detected. The crux of the problem is that everyone who uses the Internet is assumed to be affected by this bug either directly or indirectly.
The biggest question is “How do we stop the leak and protect ourselves?” Truth is, as long as the vulnerable version of OpenSSL is in use… it can be abused. Operating System, hardware, and independent software vendors have to adopt a fix and notify their users. Service providers and users have to install the fix as soon as it becomes available for the operating systems, hardware devices and software that they use. Now that the bug has gone public, users should assume that any vulnerable website is under active attack. In addition, if you have logged in since the bug was exposed it is best to assume that your password and other data may be exposed.
You may have noticed difficulty accessing a web page or logging into a particular site over the last couple of weeks. You may have also been asked to verify your login or change your password information at various sites such as Google, Yahoo, Amazon, Facebook, and many others. This is a discrete sign that these vendors have begun patching their systems and are doing their best to protect their users. Many people are scrambling to change their passwords at various sites throughout the Internet thinking that simply changing the password is enough. Heartbleed is a live exploit which means that changing your password on an unpatched site would do much more harm than good. Security professionals have advised that Internet Users should change their password ONLY if both of the following are true:
- You know that the site was at some point vulnerable
- You know for certain or have been notified that the site is now patched
Responsible Websites will notify their users and will make sure all of the users change their passwords much like Google, Yahoo, Amazon, Facebook, and others have done over the last few weeks.
Mashable.com has been maintaining a list of vulnerable websites and whether or not they have been patched. You can access this section here: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ to check to see the status of various sites you may have accounts with. Please keep in mind that this is not an “All Inclusive” list.
If you have questions or concerns about the devices and software applications in use on your network, please give us a call. We can help you assess your direct vulnerability regarding your network devices, applications, and remote access.
by Michael Arnold, Senior Engineer