No one knows if the Heartbleed flaw was exploited, but you should make changes to be safe, says Wayne Rash
A lot of leading online services have been working with an unknown vulnrability, dubbed Heartbleed. The open source code that implements the Secure Sockets Layer (SSL) encryption service, in some versions of Linux, is vulnerable to an exploit which could reveal up to 64 kilobytes of memory in the affected server.
The good news is that the OpenSSL Project issued a fix almost immediately, and passed it out as an update to Linux distributors. The bad news is that this vulnerability has been around for two years.
Was Heartbleed ever exploited?
There’s more good news: There’s no evidence that this vulnerability was ever exploited. But there’s more bad news, too: Because of the way this vulnerability works, we might not see evidence even if it had been exploited.
Just how serious is this?
Tatu Ylönen, inventor of SSH encryption and CEO of the SSH Communications Security Corporation, said that the problem is potentially bad. “This is an extremely serious vulnerability in OpenSSL,” Ylönen said in an email from his home in Helsinki, Finland.
“An attacker can use it to obtain the encryption keys used by a web site, allowing an attacker or spy agency to read all communications. It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the web site, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases.”
Ylönen said that about two-thirds of the world’s Websites use the encryption library affected by the vulnerability, which is OpenSSL 1.0.1. Any of those sites could have been compromised. He said that these include major commerce sites, social networking and banking sites.
Look after your keys
Because the encryption keys themselves may have been stolen from compromised Websites, the importance of keeping keys safe is underscored. Unless the keys were kept secure and encrypted, the chance that they could be stolen during a breach is high, according to Richard Mould, vice president of Strategy for Thales e-Security.
“Once again the importance of sound key management has been brought into sharp focus,” Mould told eWEEK. “The Heartbleed bug found in OpenSSL, one of the most common means of encrypting data on the internet, increases the risk that encryption keys can be stolen. An attacker that can access these keys can decrypt any data that has been previously encrypted using those keys and probably any future data until each key is changed. Updating keys is expensive and time consuming and the impact of a loss can be very damaging.”
Ylönen said that once the SSL encryption had been broken, it’s likely that passwords normally protected by SSL had also been compromised.
“THIS PARTICULARLY INCLUDES NATIONAL AND INTERNATIONAL INTELLIGENCE AGENCIES [emphasis his] who routinely record all traffic and can now use or have used the vulnerability to read the private keys needed for decrypting the recorded historic data,” he wrote.
This means that if someone, such as a national spy agency or a cyber-criminal organisation, was trying to read the data from your company as it crossed the public Internet and recorded it, they can go back and decrypt the material they’ve captured.
Users change passwords, admins change certificates
So now what? If the Heartbleed exploit was used against any site with which you connect, it means that at the very least you need to change your security credentials. This includes changing all of those passwords that you never could remember.
If your company is vulnerable, meaning you were running a Linux server or otherwise using OpenSSL, Ylönen has some suggestions:
Companies should “upgrade their OpenSSL library to version 1.0.1g” and “create a new private key, generate a certificate request, and purchase a new certificate from their CA (certificate authority) and install the new key,” Ylönen wrote, noting that “this must be done for each web site supporting SSL/TLS (https: addresses).”
At this point, as I said earlier, there’s no evidence that cyber-criminals have exploited this vulnerability, but you need to be sure. This means that if you’re using a Linux server running Web services from an open source server, you likely are vulnerable. If you connect to such a server using SS:/TLS, your protected data may have been compromised.
However, if the server in question runs Windows Server of some sort, chances are you weren’t compromised as the vulnerability exists only on open source platforms. Ylönen said that a Website has been set up to provide information about this problem. He also noted that the SSH protocol used by system administrators was not affected.
Sadly, this is one of those situations in which a minor change designed to make life easier for users of SSL turned out to be the problem. This particular bug surfaced as part of an effort to provide a steady “heartbeat” from a secure system so that the server on the other end of a connection would realise the connection was alive and wouldn’t need to perform a credentials handshake again.
What’s worse, this is a situation where you could have done everything right, and still have been compromised. Of course, best practices recommend that you encrypt everything before its transmitted anywhere, regardless of whether you’re using SSL. That would have made all the difference in this case.
Are you a security pro? Try our quiz!
Originally published on eWeek.