Heartbleed – One Week In

Heartbleed – One Week In
By Mark Nunnikhoven

Heartbleed just got real.

The bug has been dominating headlines for the past week – and rightfully so. The scale of the impact of this issue is major. OpenSSL has been integrated into a significant number of development projects. It’s probably the most commonly used security library out there.

Late Friday night (the 11th of April 2014), the CloudFlare challenge was successfully beaten by both Fedor Indutny and Ilkka Mattila.

The challenge was simple. CloudFlare stood up a server that was vulnerable to Heartbleed. They then asked the community to retrieve the private key for the SSL certificate for the site by exploiting the bug.

Within the day, not one, but two people had successfully accomplished the task.

Megan Guess has more information over at Ars Technica, but you need to know that this provides hard evidence that Heartbleed poses a real, substantial risk. Up to this point, we – the information security community – knew that it was possible to retrieve the key from memory, but it was difficult to convince others without evidence. Now we have it.

What should I do?

We’ve pulled together this quick (4m 30s) screencast explaining heartbleed and what steps you should take to protect yourself and your users.

I’m a user; what can I do?

As a user, you need to ask yourself one simple question when visiting a web site or accessing an online application, “Is this site still vulnerable to heartbleed?”

If the answer is no, change your password immediately. Remember to use a unique password for each account you have. If you have a large number of online accounts, you might want to look into a password manager. That will make it much easier to have unique passwords for every service you use.

If the site hasn’t fixed heartbleed yet or hasn’t said anything about the bug, don’t change your password just yet. If you change you password while the site is still vulnerable to a heartbleed attack, your new password could be exposed.

Wait until the site fixes the issue before changing your password.

I run a web site; what’s my next move?

If you run a web site, you want to start talking to your users right away. Let them know you’re aware of heartbleed and are looking into the issue as quickly as possible.

Next, check to see if your site is using an affected version of OpenSSL (version 1.0.1 through 1.0.1f). If it is, take the following steps to fix the issue:

  • -Apply any heartbleed rules (CVE–2014–0160) to your intrustion prevention system
  • -Update your OpenSSL library to version 1.0.1g or higher
  • -Revoke your current SSL certificate
  • -Issue a new certificate using a new private key

If you site isn’t affected by heartbleed, make sure to tell your users. This issue is everywhere, and most people have heard of it. Letting your users know that your site was unaffected and their data is safe is a good step that reassures users.

Mark Nunnikhoven is the Vice President of Cloud and Emerging Technologies for Trend Micro where he meets regularly with clients (and prospective clients) to understand their security challenges and to share the research and vision for cloud and data center security. He speaks regularly on cloud computing, usable security systems, and modernizing security practices at conferences and events.