It’s been a few days since the Heartbleed OpenSSL vulnerability was announced and I’m sure you’ve read some media coverage. Let’s cut to the chase on what you should do:
For your Company
- Patch any systems using OpenSSL 1.0.1 with version 1.0.1g
- Revoke certificates on impacted systems
- Issue new certificates for newly created keys
- Install new certificates on systems
- Change passwords for accounts on such systems
- Check with vendors to see if their software is vulnerable
- Follow vendor recommendations to update the software
For you Personally
- Check websites to see if they were vulnerable to this vulnerability — most organizations are posting some reference to this. You can also check this list provided by Mashable.
- Change your password on those vulnerable websites once they have fixed the flaw. Note it’s key this is done after the flaw is removed.
If you want some additional context on why Heartbleed is different…
I’ve been in information security going back to the 90s and there are a few landmark security events I will never forget. Massive exploits like Melissa, Code Red, and Nimda are seared in my memory after cleaning up, responding to, or analyzing affected systems. Then in the later 00s, the world shifted to the targeted attack where exploits weren’t as widespread or well known, but more damaging: Aurora, Stuxnet, APT1. Ignorance is bliss, until the damage is done.
The OpenSSL Heartbleed vulnerability is a game changer and landmark moment in computer security because it is the first time the world is rushing to address a vulnerability (not a virus) en mass.
Heartbleed is a vulnerability (weakness in OpenSSL), not a virus, and yet there is as much buzz from tech and mainstream media as any mega viruses of the past. This is because websites and software using OpenSSL could be exploited and you wouldn’t even know!
In simple terms, one could send a web server running OpenSSL a message and get back data from memory on that web server. What information might be in that memory?
- Encryption keys
- Account names
Oh, and did I mention that you can’t detect if you were exploited?
So, what web sites, products and technologies use OpenSSL?
- Major websites such as Facebook, Google, and Yahoo
- Email services, including Gmail and Yahoo Mail
- File share services, such as Dropbox and Box
- Countless variants of enterprise software
- Older versions of Android
- Routers and other embedded systems
Bottom line: OpenSSL is used all over the place and affects lots of different systems.
Let’s go deeper on the mitigation and why patching alone is not enough. Here is where it gets really ugly. There are multiple steps to ensure full protection.
- Patch vulnerable systems: Anything running OpenSSL should be patched. This includes websites, 3rd party software, cloud systems, and even Android devices. Patching closes the weakness and prevents information from being stolen from systems running the vulnerable version, but unlike other vulnerabilities, you may still be exposed after patching.
- Revoke, issue, and install new certificates: Yes this is a painful step, but if a hacker were able to compromise the encryption keys with the vulnerable OpenSSL, you could be at risk of having sessions being decrypted.
- Change passwords for accounts on compromised systems: Again this may feel extreme, but account passwords could have been discovered with the vulnerability exploit.
So, how bad is this really? On one hand, the prevalence of OpenSSL in software and websites means there are a lot of ways to compromise systems, sessions, and accounts. This is really bad when you consider the exploit is considered difficult to detect.
That said, the likelihood of your account and password being discovered is low. Take one of the big websites like Yahoo that has millions of accounts. It’s possible your information might not have been in the random memory that was returned when OpenSSL was exploited. Websites are probably not going to force you to change your password because of the overload on authentication systems and the potential fear that might induce. Nevertheless, let’s everyone should use this as a reason to change your passwords that you haven’t changed (let’s be honest this is all of them).
Some are recommending changing account names too – as those could have been exposed. This is a painful step and probably reserved for the most security paranoid.
So what should you definitely do vs consider doing?
- Patch vulnerable software: definitely
- Update certificates on affected systems: definitely
- Check vendors and websites to see if they are vulnerable and fixed: definitely
- Change passwords for affected websites and systems: yes, it hurts, but do it
- Change your account names: good idea, but probably not practical
- Bonus: Turn on two-factor authentication on your web services if they offer it
There are loads of websites with recommendations and information. I have seen conflicting information so check with the website vendor for the most authoritative response. Here are some of the better ones: