Thursday, 10 April 2014

Heartbleed made Simple

HeartBleed has suddenly become a very well known security vulnerability, because this simple vulnerability in OpenSSL has turned out to be one of the most critical and potentially devastating of all time, with over half million trusted websites said to be vulnerable. Over the last couple of days various security advocates and vendors have been lined up by the media, with ominous warnings of grave danger online due to Heartbleed.

However I have generally found main stream media have focused far too much on trying to sensationalise instead of explaining the vulnerability properly, and not explaining how organisations should resolve the problem, and how users can protect themselves. It is fair to say the media coverage has led to much confusion on Heartbleed, with both organisations and users alike, which I’ll attempt to dispel.

Heartbleed made Simple

Heartbleed, also known as CVE-2014-0160 in techie land, is a Critical Security Vulnerability identified within OpenSSL, a set piece of software which implements SSL/TLS encryption. This encryption software is used on many 'secure' websites (https), VPNs, Email Servers and Mobile Phone Apps. The vulnerability allows an attacker to change a memory instruction within a TLS Heartbeat request. This Heartbeat request is like a regular 'ping' between a server and client, and is used to maintain a secure network connection. An attacker can modify the heartbeat request to return the contents of a target servers memory heap, which can hold private encryption keys, user credentials and confidential information. It is as simple as that, although it typically takes thousands of heartbeat requests by an attacker before an attack successfully returns the information desired.

The Register has posted one of the best detailed technical descriptions on how attackers exploit the Heartbleed vulnerability, so there is no need for me to drill into further technical detail here to explain it - 

There is also a nice video explanation of Heartbleed by Elastica Inc

Now the Heartbleed vulnerability has become so widely known, thanks to mass media, and given the ease that anyone can exploit it, immediate action by organisations and individuals is required.

Business & Organisations that Operate Secure Websites, Apps, VPNs, etc

1. Immediately identify all usage of OpenSSL Version 1.0.1 to 1.0.1f  in your organisation, and patch it - download here

2. Where OpenSSL version 1.0.1 to 1.0.1f was found and patching has been confirmed:

  • Enforce user account password changes. The assumption to take is that user account names & passwords have been compromised. It is possible for an attacker to be completely undetectable while performing the Heartbleed exploit, therefore there is no way of assuring whether account credentials have been compromised or not.
  • Invalidate all web session keys and cookies (hopefully done as part of the update)
  • Issue new encryption key pairs; assume all private keys are compromised
  • Review the content which may have been leaked due to vulnerability in OpenSSL, then action mitigation where required.
Everyone (Users)
If requested to change your password by an organisation, website, application etc, like a Nike 80s commercial, Just do it!

The media is full of advice for users, particularly advocating users should change all their website passwords. However this is a pointless exercise if the service you are using has not been patched to protect against Heartbleed, or perhaps the service has not even been effected by the vulnerability, as not all encryption makes use of OpenSSL, so check first.
Finally ensure to adhere to good practise password management. Considering using a password management vault system like LastPass, and ensure unique and strong passwords are used with all your website accounts. Particularly with any banking and email accounts, so should one of your weaker website accounts be compromised due to Heartbleed, the attackers don't have access to your more important accounts, which is a common issue when the people use the same password on multiple websites, the attackers understand some users do this and so check for it. 
See my other posts for further advice on password management:

No comments: