Heartbleed made Simple
Heartbleed, also known as CVE-2014-0160 in techie land, is a Critical Security Vulnerability identified within OpenSSL, a set piece of software which implements SSL/TLS encryption. This encryption software is used on many 'secure' websites (https), VPNs, Email Servers and Mobile Phone Apps. The vulnerability allows an attacker to change a memory instruction within a TLS Heartbeat request. This Heartbeat request is like a regular 'ping' between a server and client, and is used to maintain a secure network connection. An attacker can modify the heartbeat request to return the contents of a target servers memory heap, which can hold private encryption keys, user credentials and confidential information. It is as simple as that, although it typically takes thousands of heartbeat requests by an attacker before an attack successfully returns the information desired.
The Register has posted one of the best detailed technical descriptions on how attackers exploit the Heartbleed vulnerability, so there is no need for me to drill into further technical detail here to explain it - http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/
There is also a nice video explanation of Heartbleed by Elastica Inc
Now the Heartbleed vulnerability has become so widely known, thanks to mass media, and given the ease that anyone can exploit it, immediate action by organisations and individuals is required.
Business & Organisations that Operate Secure Websites, Apps, VPNs, etc
2. Where OpenSSL version 1.0.1 to 1.0.1f was found and patching has been confirmed:
- Enforce user account password changes. The assumption to take is that user account names & passwords have been compromised. It is possible for an attacker to be completely undetectable while performing the Heartbleed exploit, therefore there is no way of assuring whether account credentials have been compromised or not.
- Invalidate all web session keys and cookies (hopefully done as part of the update)
- Issue new encryption key pairs; assume all private keys are compromised
- Review the content which may have been leaked due to vulnerability in OpenSSL, then action mitigation where required.
The media is full of advice for users, particularly advocating users should change all their website passwords. However this is a pointless exercise if the service you are using has not been patched to protect against Heartbleed, or perhaps the service has not even been effected by the vulnerability, as not all encryption makes use of OpenSSL, so check first.
- You can check which of the most popular websites/services are and have been vulnerable to Heartbleed using http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoidCIsImkiOiJfaDJ3emhmb2czdzhyaGJ2diJ9,
- Or, at your own risk as it maybe illegal in some countries to perform this check, you can directly check websites with http://filippo.io/Heartbleed/