Heartbleed is a Catastrophic Bug in OpenSSL - Bruce Schneier
However I have generally found main stream media have focused far too much on trying to sensationalise instead of explaining the vulnerability properly, and not explaining how organisations should resolve the problem, and how users can protect themselves. It is fair to say the media coverage has led to much confusion on Heartbleed, with both organisations and users alike, which I’ll attempt to dispel.
Heartbleed made Simple
Heartbleed, also known as CVE-2014-0160 in techie land, is a Critical Security Vulnerability identified within OpenSSL, a set piece of software which implements SSL/TLS encryption. This encryption software is used on many 'secure' websites (https), VPNs, Email Servers and Mobile Phone Apps. The vulnerability allows an attacker to change a memory instruction within a TLS Heartbeat request. This Heartbeat request is like a regular 'ping' between a server and client, and is used to maintain a secure network connection. An attacker can modify the heartbeat request to return the contents of a target servers memory heap, which can hold private encryption keys, user credentials and confidential information. It is as simple as that, although it typically takes thousands of heartbeat requests by an attacker before an attack successfully returns the information desired.
The Register has posted one of the best detailed technical descriptions on how attackers exploit the Heartbleed vulnerability, so there is no need for me to drill into further technical detail here to explain it - http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/
There is also a nice video explanation of Heartbleed by Elastica Inc
Now the Heartbleed vulnerability has become so widely known, thanks to mass media, and given the ease that anyone can exploit it, immediate action by organisations and individuals is required.
Business & Organisations that Operate Secure Websites, Apps, VPNs, etc
The media is full of advice for users, particularly advocating users should change all their website passwords. However this is a pointless exercise if the service you are using has not been patched to protect against Heartbleed, or perhaps the service has not even been effected by the vulnerability, as not all encryption makes use of OpenSSL, so check first.
Heartbleed made Simple
Heartbleed, also known as CVE-2014-0160 in techie land, is a Critical Security Vulnerability identified within OpenSSL, a set piece of software which implements SSL/TLS encryption. This encryption software is used on many 'secure' websites (https), VPNs, Email Servers and Mobile Phone Apps. The vulnerability allows an attacker to change a memory instruction within a TLS Heartbeat request. This Heartbeat request is like a regular 'ping' between a server and client, and is used to maintain a secure network connection. An attacker can modify the heartbeat request to return the contents of a target servers memory heap, which can hold private encryption keys, user credentials and confidential information. It is as simple as that, although it typically takes thousands of heartbeat requests by an attacker before an attack successfully returns the information desired.
The Register has posted one of the best detailed technical descriptions on how attackers exploit the Heartbleed vulnerability, so there is no need for me to drill into further technical detail here to explain it - http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/
There is also a nice video explanation of Heartbleed by Elastica Inc
Now the Heartbleed vulnerability has become so widely known, thanks to mass media, and given the ease that anyone can exploit it, immediate action by organisations and individuals is required.
Business & Organisations that Operate Secure Websites, Apps, VPNs, etc
1. Immediately identify all usage of OpenSSL Version 1.0.1 to 1.0.1f in your organisation, and patch it - download here
2. Where OpenSSL version 1.0.1 to 1.0.1f was found and patching has been confirmed:
2. Where OpenSSL version 1.0.1 to 1.0.1f was found and patching has been confirmed:
- Enforce user account password changes. The assumption to take is that user account names & passwords have been compromised. It is possible for an attacker to be completely undetectable while performing the Heartbleed exploit, therefore there is no way of assuring whether account credentials have been compromised or not.
- Invalidate all web session keys and cookies (hopefully done as part of the update)
- Issue new encryption key pairs; assume all private keys are compromised
- Review the content which may have been leaked due to vulnerability in OpenSSL, then action mitigation where required.
If requested to change your password by an organisation, website, application etc, like a Nike 80s commercial, Just do it!
The media is full of advice for users, particularly advocating users should change all their website passwords. However this is a pointless exercise if the service you are using has not been patched to protect against Heartbleed, or perhaps the service has not even been effected by the vulnerability, as not all encryption makes use of OpenSSL, so check first.
- You can check which of the most popular websites/services are and have been vulnerable to Heartbleed using http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/#:eyJzIjoidCIsImkiOiJfaDJ3emhmb2czdzhyaGJ2diJ9,
- Or, at your own risk as it maybe illegal in some countries to perform this check, you can directly check websites with http://filippo.io/Heartbleed/
Finally ensure to adhere to good practise password management. Considering using a password management vault system like LastPass, and ensure unique and strong passwords are used with all your website accounts. Particularly with any banking and email accounts, so should one of your weaker website accounts be compromised due to Heartbleed, the attackers don't have access to your more important accounts, which is a common issue when the people use the same password on multiple websites, the attackers understand some users do this and so check for it.
See my other posts for further advice on password management:
No comments:
Post a Comment