Net Quake: What to do about Heartbleed?
From Schneier on Security: “Heartbleed is a catastrophic bug in OpenSSL: ‘The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.’
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.
‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
OpenSSL is a software library reportedly used by 66% of the web sites on the Internet to implement the SSL protocol. SSL is invoked when you surf URLs starting with “HTTPS”. When connecting a user to a web site via an HTTPS URL – almost always used for password login – browsers display a lock icon to indicate the communication is encrypted. But now we know the lock’s been picked – hackers could have broken into the web server on the other end and derived your login data.
Note: If you’re still mystified by my attempt at a non-technical explanation, try this article from Business Insider, which is even more non-technical. Then still please take a look at my recommendations for people at the end of the post.
I don’t call something a “Net Quake” lightly. Heartbleed is really bad for users, and its really bad for organizations running web sites. There’s no quick fix for most. The Internet has just become even more dangerous. Here’s why:
- Almost every hacker in the world now knows about Heartbleed, but many sites are still vulnerable. Actual exploits of the vulnerability may be coming fast and furious in the early days since April 7, 2014.
- A window of vulnerability has opened and many users may inadvertently expose themselves to risk by visiting sites to change their passwords before those sites have been patched. Some of the “change your password” messages from sites may be phishing attacks and users may succumb.
- The vulnerability has probably been exploited by the NSA and other advanced threats over the last two years, to an unknown extent.
- Patching will take a long time. Each site has to go get the patch to OpenSSL and apply it to stop the bleeding. (Here’s CNET’s continually updated site-by-site status report of which large sites are vulnerable.) It’s going to take awhile.
- Even after patching, users whose passwords were compromised on the site are still vulnerable.
- People that reuse passwords across multiple sites are now vulnerable on all those sites, even the ones that were never vulnerable to the bug.
- Vulnerable sites have increased risk of break-ins even after applying the patch. Who knows what information hackers may have pulled out of memory while the bug remained active? Private keys, sensitive code, could be anything.
- Organizations face considerable legal or PR liability in how they communicate with users about this issue. I’m guessing their could be problems with telling users they’re safe – even after patching and password changing.
- Organizations face increased supply chain, or partner risk. Even if organization’s web sites were never vulnerable, their partners may have been, and partners may have exposed information about your organization or opened attack vectors to you.
The only good news is that even the hackers in all their numbers across the world with their automated tools don’t have enough time or bandwidth to exploit a fraction of the opportunities Heartbleed has (at least potentially) given them. My own view is: the earth may be quaking, but the sky isn’t falling. The following risk-based recommendations keep this presumptive reality in mind.
Recommendations for Organizations
If you use a version of OpenSSL with the bug, patch immediately and consult your incident response team, PR team and attorneys on outreach to users.
Allocate more resources to user awareness, security monitoring and incident response immediately, even if you weren’t vulnerable. Consider how or if to communicate with users who may have reused passwords from other sites; they need to change them. Also, watch all exposed web servers and all authentication or password change attempts more closely. Re-assess and improve password recovery tools, training and procedures. Beef up help desk support. Dust off incident response procedures, roles, responsibilities and training to improve preparedness.
If your organization is a high risk target (e.g. bank, government, media outlet, hi-tech company, famous brand name company) conduct a Heartbleed risk assessment to answer these questions: What if some skilled hackers got some memory dumps from your web servers and devoted some quality time to figure out how to use them against you? What are the chances this has been happening over the last two years? What keys, addresses, or other data could they have got? What could they exploit that data? How to priority-rank these new potential vulnerabilities and fix them? Do we need to make all the users in our organization change their SSL VPN password and selected web application passwords?
Recommendations for People who use DIFFERENT PASSWORDS across most sites
So you almost never reuse passwords across multiple sites? Great! You’re in pretty good shape. But you should still do some selective mitigation.
1) Protect your primary email account: Check My Heartbleed Resources to see if the service you use for your primary email account has been patched. Once you see that, log in and change your password there. Also, turn on two factor authentication for this account. That’s recommended anyway (before Heartbleed) because many web sites will send you an email as part of password changes, or account recovery processes. Therefore your primary email account has the keys to the kingdom and you have to specially protect it.
2) Try and remember all the sites you’ve visited in the last week since the vulnerability was disclosed on April 7, 2014 to a much broader audience than a few, secretive groups that may have had it before. In the days and weeks after April 7, the race is on between hackers and patchers. There’s clearly a much greater chance that your password was in memory if you logged in during the temporal window of vulnerability. Consider changing your password on those sites you logged into recently. If you want, you can check My Heartbleed Resources to try and see if the site was vulnerable when you used it.
3) Make a list of which sites are most critical to your financial well-being or reputation. Check My Heartbleed Tools to see if each of those services are vulnerable. If a site is vulnerable, stay away from it if possible (don’t even go there to change your password). Once the site is not vulnerable, consider changing your password there.
4) Make a list of sites that sent you emails telling you to change your password. Follow recommendation (3) for those sites. But navigate to their URLs by hand, DON’T CLICK ON THE LINKS IN THOSE EMAILS (they could be phishing attacks).
Recommendations for People who use the SAME PASSWORD on most sites
Tsk, tsk. If you’ve been busy online during the last few days, its possible MANY of your accounts are exposed. If a hacker compromised one of your sites while you were on and your user id and password (or password hash) were in memory, the hacker could try other other popular sites to see if he could get into your account. And before you tell me, “No one has time to do all that, why would they bother?” think about this – cybercrime is a collaborative effort. Hackers have their bulletin boards, chat rooms, social networks and automated tools. Your password could be posted somewhere and even now entire botnets could be crunching through lists of passwords, breaking password hashes, and checking accounts all over the world.
If you haven’t been online since April 7, 2014, try to stay offline for awhile, or at least don’t log into anything that has your SAME PASSWORD. When you get to the point where you have to log into something follow the recommendations in (1), (3) and (4) above.
Bottom line
As of April 10, it’s hard to tell how bad this Net Quake is going to get. As I said earlier, the race is on. Maybe it mostly blow over as the “good guys” deploy their patches, change their keys and beef up other defenses faster than hackers can grab more damaging information on a mass scale.