The Internet has been reeling for the past couple of days after a very serious and widespread vulnerability called Heartbleed reared its ugly head. The Heartbleed threat might finally be all over the news tonight, as this security threat bursts out of IT backrooms and becomes public knowledge that could possibly impact millions. But most organizations have been flying under the radar, rather than warning their users to stay clear of their login pages.
TL;DR Skip straight to the bottom to see what you should do to protect yourself. Rule #1, stay logged out of sensitive sites until you see a clear advisory that the site’s been secured.
Heartbleed is an SSL exploit that could be potentially have already affected up to 2/3rds of web servers, and an undetermined number of mailservers. The result is that financial transactions, medical info, personal data, pictures, passwords, attachments, chats and pretty much everything the world has entrusted to the OpenSSL encryption library (ie. those HTTP:// URLS) has been vulnerable for almost 2 years on many servers.
Unfortunately the standard practices for corporate secrecy and IT security can also impact consumer awareness and security as well. Since people’s first instinct is to login and reset their passwords…Regardless of whether the organization has made public disclosure, and announced that their sites have been properly patched.
The first thing you need to know about Heartbleed is that any server that uses vulnerable versions of OpenSSL to secure its connections (via the https:// protocol) have been vulnerable, for up to the last two years! Some people are starting to suspect that this back-door was placed on purpose to enable government agency spying. We can decide for ourselves if this theory is plausible based on prior actions.
The second thing to know is that you should NOT reset any passwords on any suspected sites until you can be fully assured that their systems have been properly updated and re-secured. This means that the standard approach to such security issues, where everything is on a need to know basis, will need to be broken-open to the public so that we can all be assured that our passwords can be safely reset on any site that has been vulnerable.
This kind of open disclosure of potential risk is often very difficult for many types of organizations, and that’s the real problem here. Since the standard operating procedure stands in the way of real damage control, and instead favours the “reputation management” need that can supersede the real security risks to Consumers. Many organizations would prefer to respond to issues on a reactive basis, rather than throw the floodgates open to admitting fallibility.
A Quick Shot of the Gory Details
The bug, known as Heartbleed allows attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys. It affects a component of OpenSSL known as Heartbeat. OpenSSL is one of the most widely used implementations of the SSL (Secure Sockets Layer), and the TLS (Transport Layer Security) component called “heartbeat” allows a TLS session to be kept alive, even if no real communication has occurred for some time. The feature will verify that both computers are still connected and available for communication. It also saves the user the trouble of having to reenter their credentials to establish another secure connection if the original connection is dropped. This is the component that has been exploited to allow sensitive data to be sniffed out and abused.
The trouble is that there’s no way to tell if a system has even been compromised, let alone exploited.
As is almost always the case, most malicious hackers prefer to fly under the radar for as long as possible rather than make a big splash that alerts the public to exploitation. However, once an exploit breaks into the mainstream awareness, there’s literally no reason to keep a low profile and it becomes open-season on any vulnerable systems. This is why there’s no time for hand-wringing and corporate cowardice about this risk.
All possibly vulnerable systems should be locked down immediately to prevent people from exposing their logins (or underlying data) over this critical period. The last thing people should be doing is logging in to update their passwords, until they can be sure that the sites SSL has been patched and new keys issued to the site administrators.
Luckily the fix to Heartbleed is relatively straightforward for System Administrators. The really tricky part will be in how to handle all the public communications and notifications that will likely turn this matter into a nightmare of logistical hurdles and legal roadblocks for some organizations. Essentially because it forces any vulnerable organizations to proactively do one of the things that they hate most. Admit to the public that there’s the possibility of a problem, while the discovery process is underway.
Here’s a good example where Vimeo is not only being proactive about disclosing the issue and their immediate solution, but also offering a very thorough explanation of SSL and the “Heartbleed” exploit….For those of you with a geeky itch to scratch.
Crisis Management: The Good, the Bad and the Ugly
Take Paypal for example. As of 4pm April 9, I’ve seen no sign that they’ve either issued a widespread advisory about fixes being underway, or sent me any emailed statements to assure that our accounts were not vulnerable to begin with. It would appear that it’s simply business as usual for them, which is concerning since, even if they were not vulnerable to Heartbleed, they should have at least provided a clear assurance on their site and login pages.
On the other hand, Canada Revenue Services has shut down all public access to their sites with a clear and proactive advisory of the current situation. This was posted less than 24 hours after the Heartbleed issue was raised on April 8. This effectively stops any further potential abuse dead in its tracks.
Conversely, one large Canadian bank was contacted for info at 3PM on April 9th and yet was unable to provide any advisory whatsoever. Representatives admitted that an internal memo was circulated which advised to simply assure customers that their sites remain fully secured. One representative was told that the situation is still under investigation and that no other customer info was available at the time. Therefore, regardless of the outcomes of security investigations, their customers have been allowed to continue logging in and exposing their credentials to any possible threat. It seems that maintaining a good poker-face and keeping a lid on any possible threat to banking security takes higher precedence than actually assuring public security during this security crisis.
UPDATE: Assurances that the banks systems have been secured have not been posted as advisories on login pages
What’s sadly ironic is that this vulnerability is relatively straightforward to fix (ie. list the affected systems, reinstall the affected SSL software version, and then obtain a new SSL certificate to get new keys and lock the door behind you. The largest certificate issuing authorities don’t even charge for a new certificate, so other than time/labour there’s literally no cost to this fix.
The last step is important because any breaches using the vulnerability don’t actually leave any tell-tale signs or indications in the log files. So there’s really only one safe and simple path to resolving this matter. The technical complexity lies in reviewing which systems are vulnerable to Heartbleed. Any IT Dept with proper auditing and management systems in place should be able to
It seems that the real tricky part in all of this is the public communications that will demonstrate who is swallowing the tough pill in order to be openly proactive about warning customers, and who will be hoping that things are just going to blow over like so many other contained security violations is the much trickier part to handle.
Symantec offers this advise to Consumers:
- You should be aware that your data could have been seen by a third party if you used a vulnerable service provider
- Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
- Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
- Monitor your bank and credit card statements to check for any unusual transactions
Here’s a running list of sites that have responded with updates on their fixxes…
Presumably making it safe to update logins…Though Yahoo seems abit contradictory!