Servers running the OpenSSL for the last two years, unless patched right away, may have revealed to hackers sensitive data due to a serious Internet vulnerability dubbed “Heartbleed.” The worst thing about this bug is that it is easy to exploit, and doesn’t even leave a trace, say security experts.
One of the most used security technologies is SSL (secure sockets layer), which is found in what we see as a “lock” in our browser when we type https://domain.xyz (rather than http://). The ramifications are very serious as OpenSSL may secure e-banking, e-commerce, social media, webmail, email, and so on. Practically every aspect of the Internet may rely on OpenSSL at the backend.
The Finnish digital forensics and security company Codenomicon (http://www.codenomicon.com) has independently uncovered the “heartbleed bug” in the popular OpenSSL found on many of the web hosts, which can leak out critical information such as the secret Private Keys which lock passwords and our data, to malicious hackers.
The bug was named Heartbleed by Codenomicon because it occurs in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension. When it is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server. The same weakness also exists in the client-side implementations of OpenSSL.
By exposing the memory contents of a Web site’s server, the Heartbleed vulnerability potentially allows attackers to steal the most sensitive information such as private encryption keys, session cookies and passwords.
The encryption bug also affects the equipment that connects the Web. Cisco Systems Inc. and Juniper Networks Inc., have said that some of their products contain the “Heartbleed” bug. Cisco said it would update customers when it has software patches while Juniper warns the process of updating its equipment might be lengthy.
Security vendor FireEye encourages organizations to apply the patch as soon as possible. Organizations should identify their own strategy for deployment based on their own needs and testing requirements, however FireEye recommends the following:
- All externally facing servers be patched first to reduce the potential number individuals who could connect to a vulnerable system.
- Patch any servers providing authentication which could leak legitimate credentials to a hacker.
- Then patch any servers that containing sensitive data including personally identifiable information (PII), customer data, critical intellectual property, or those conducting financial transactions.
- Then pursue a strategy to patch all other internal systems.
- Identify partner organizations websites that employees may use, and ensure that these other websites have been secured as well.
- Create, install / deploy new certificate(s). Organizations who suspect being attacked already, should also consider revocation of the old keypairs that were just superseded, and also invalidating all session keys and cookies.
In addition, organisations should perform network scans as soon as possible. Organisations need to identify if any of other devices may be running OpenSSL as well. This could include appliances, wireless access points, routers, or pretty much anything else that may use SSL. As an example, several different types of voice over IP (VOIP) phones used in the corporate environment run SSL. For these other devices, organizations may need to work with their vendors to apply a patch, firmware, or solution to ensure that all equipment.
Finally, organisations will want to ensure appropriate logging is enabled on their servers, and conduct increased auditing to determine if any unauthorized users are leveraging compromised credentials that may have already been leaked. As the credentials are legitimate, auditing serves as one of the best ways to identify anomalous activity. Auditors should be on the lookout for anything outside of the normal including logins for different geographic regions, extreme off hour activity, increase in outbound bandwidth usage, and other similar activity.
