Monday night marked the disclosure of the biggest software vulnerability so far this year, known as the “Heartbleed” bug, which affects the OpenSSL cryptographic software library. Unfortunately for businesses and end users, OpenSSL is used practically universally across the Internet as a standard security technology for establishing an encrypted link between a web server and a browser.
Ironically, the purpose of the technology is to ensure that all data passed between the web server and browser remains private. Heartbleed compromises this functionality, enabling malicious attackers to access a plethora of personal information from usernames and passwords to credit card numbers.
So who should be concerned about this vulnerability?
In short, everyone. With so many web sites using OpenSSL, there are very few businesses or individuals on the Internet that would not be impacted. What’s more, this technology is also used by other devices such as printers, wireless access points, routers and switches, as all of these devices and others offer up a way to administrate the device via a browser interface.
From the standpoint of the attacker, this vulnerability is a veritable treasure trove for evil-doing, a Holy Grail if you will. There is code out there for exploiting this vulnerability, and there are hundreds of thousands of devices on the open Internet waiting to give up secret information to anyone willing to run that exploit code.
The good news is that this vulnerability has been disclosed, and therefore most major web sites are aware of it and have already fixed the problem – but that is not the major concern. The major concern is everyone else who is affected by this bug and may not even know they are at risk. This includes both smaller businesses and individual end users, because people may not know which software versions they are running or whether OpenSSL is built into any other devices they are using. To complicate matters, the attacker will leave no record of his/her presence when performing attacks on this vulnerability because it exists in a part of the code where no logging takes place.
So what can we do to protect ourselves and our customers?
For businesses, the first thing you need to do is try to detect this vulnerability within your environment, and if detected, quickly upgrade to the patched version of OpenSSL, which is now available. I’m not just talking about public-facing systems, although that is a good place to start. Businesses should also check internal systems for this vulnerability, as attackers are sure to try to exploit it to harvest employee access credentials. Here are a few tools that have been set up online to assist with these efforts:
Server administrators may also need to consider generating new SSL certificates. For technical reasons, it is unlikely that the private key material associated with SSL certificates is being leaked in this attack, but it can happen if an attack is launched right after a web server is restarted. The safe thing to do may be to generate new keys.
Businesses also need to inform their customers about the bug and provide instructions for how they can protect themselves from it. This is particularly important if those customers need to change their passwords because that business was running a vulnerable server that has subsequently been patched.
Unfortunately, many businesses are quietly patching their servers without informing customers that their passwords may have been exposed, or that the servers have been updated and passwords can now be safely changed. Even if your business’ web site was never vulnerable, it may be helpful to issue a customer communication indicating that, so customers know that they don’t need to update their passwords.
Additionally, consumers need to take their own proactive measures to protect themselves from this vulnerability, especially with Microsoft having just suspended automatic security updates for Windows XP on Tuesday. (Auspicious timing for the attackers, by the way.)
While it is a painstaking process, consumers may need to change the passwords they use on web sites that were vulnerable to this attack and subsequently have been patched. This is particularly important if you logged into those web sites during the period of time between when the vulnerability was publicly disclosed and when the web site’s servers were updated.
There is also some concern that there may be people out there who knew about this vulnerability and exploited it before it was publicly disclosed, so there may be a risk to your password even if you haven’t logged in during the past few days. However, there is no sense updating your password if the web site hasn’t updated its software yet. Your new password would still be exposed. For this reason, it’s really important for web site operators to communicate with customers when their servers have been updated.