The Heartbleed Bug
The recently publicised OpenSSL vulnerability has sent shock waves around the security community. Servers can’t keep up with user password changes and certificate authorities worldwide have been clogged up with paranoid sysadmins requesting new HTTPS key pairs. Whilst the server side fix is quick, the end user impact is huge, with many not being tech savvy enough to pick this up in the news (or even care!).
The Heartbleed vulnerability was/is present in over 500,000 servers that were using HTTPS and the vulnerable version of OpenSSL. The issue meant that anyone on the Internet could read what was in vulnerable servers’ memory related to that HTTPS session – think usernames, passwords, banking details, credit card numbers – everything that was entered into a HTTPS page on a vulnerable server could be read, without anybody knowing about it.
Speculation hints that some government agency planted the exploit (but there’s no proof), but the general consensus was that it was a genuine bug.
So what next?
Sysadmins must patch OpenSSL and get new private/public key pairs. All well and good, but as OpenSSL is embedded in so many products, they may not even know they’re using it.
Consumers using vulnerable pages will generally have no idea what’s going on, unless site owners take action and reset their passwords with immediate effect. This isn’t happening. Information entered over HTTPS is meant to be secure and the little padlock in one’s browser tells people they’re entering their personal details into a secure environment. Why would anyone question that?
The Heartbleed bug is bad news – we can only learn from this and ensure our own software is thoroughly tested before release and our vulnerability management programmes include third party software libraries and don’t just assume that “open source is secure”.
UPDATE 14 April 2014
Popular parenting website Mumsnet announces credentials may have been stolen by attackers using the Heartbleed exploit. With over 10 million visits per month the information hackers may have gathered WILL be used for password reuse attacks, so if a user’s account and password on Mumsnet is the same as that on another popular site, then hackers WILL be using automatic methods to see if your credentials are working elsewhere. Businesses are NOT coming forward and alerting their users as to whether or not they have been affected – this is getting more serious than previously thought.
UPDATE 15 April 2014
The Heartbleed vulnerability has sent shockwaves around the IT community and is the most significant security vulnerability to affect businesses globally, ever.
The UK government do not seem to be taking the issue seriously and fail to grasp it’s significance.
It’s not even on the front page of CERT-UK’s website (www.cert.gov.uk) and CERT-UK are playing catch up and simply repeating advice they’ve obtained from elsewhere in technical jargon that small businesses don’t understand.
Quite rightly they point out that most major sites have now been patched and updated, but this was because Google and Codenomicon disclosed the vulnerability to sites such as Facebook well in advance of disclosure, ensuring they’d patched it before releasing it to the community.
Small businesses don’t stand a chance. Most don’t even know they’re running OpenSSL, considering it’s bundled into so many applications that go by other names.
There’s a long, hard path to go down before this issue is finally put to bed – thousands of more websites will be breached and data stolen, as they’re simply not patching fast enough or are aware of the problem.