A serious Internet vulnerability dubbed “Heartbleed” has exposed 66 percent or more of the Internet to attack, according to Finnish digital forensics and security company Codenomicon, which discovered the security hole.
By exposing the memory contents of a Web site’s server, the Heartbleed vulnerability potentially allows attackers to steal the most sensitive information such as private encryption keys, session cookies and passwords.
“Typically, bugs in a single software application or library come and go, and are fixed by new versions,” said Ari Takanen, Codenomicon’s Chief Research Officer. “However due to early release of the Heartbleed bug details, it left large amounts of private keys and sensitive data exposed for quite some time. In addition, there are three aspects that make Heartbleed particularly concerning – the long exposure, ease of exploitation, and the fact that any actual attacks would leave no trace.”
The vulnerability is due to a bug created in 2012 in OpenSSL – a cryptographic library that is used to secure a major percentage of the Internet’s traffic. OpenSSL released an emergency patch for the bug along with a security advisory, and software companies have been moving quickly to implement the patch since it was publicly revealed.
Codenomicon has written and continues to update an in-depth breakdown of Heartbleed, available at www.heartbleed.com.
The patch should quickly mediate the issue and eliminate future risks. However, since an exploitation would leave no trace of anything abnormal, it’s impossible to track any actual attacks. Consumers are advised to follow service provider guidelines, given they have updated their OpenSSL to the new patched version and updated their encryption keys. In some cases, service providers may require you to change your password, particularly for more sensitive log-ins, such as financial institutions and ecommerce sites.
The bug was named Heartbleed by Codenomicon because it occurs in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension. When it is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server. The same weakness also exists in the client-side implementations of OpenSSL.
Another security expert, FireEye, encourages organizations to apply the patch as soon as possible. Organizations should identify their own strategy for deployment based on their own needs and testing requirements, however FireEye recommends the following:
- All externally facing servers be patched first to reduce the potential number individuals who could connect to a vulnerable system.
- Patch any servers providing authentication which could leak legitimate credentials to a hacker.
- Then patch any servers that containing sensitive data including personally identifiable information (PII), customer data, critical intellectual property, or those conducting financial transactions.
- Then pursue a strategy to patch all other internal systems.
- Identify partner organizations websites that employees may use, and ensure that these other websites have been secured as well.
- Create, install / deploy new certificate(s). Organizations who suspect being attacked already, should also consider revocation of the old keypairs that were just superseded, and also invalidating all session keys and cookies.
In addition, organizations should perform network scans as soon as possible. Organizations need to identify if any of other devices may be running OpenSSL as well. This could include appliances, wireless access points, routers, or pretty much anything else that may use SSL. As an example, several different types of voice over IP (VOIP) phones used in the corporate environment run SSL. For these other devices, organizations may need to work with their vendors to apply a patch, firmware, or solution to ensure that all equipment.
Finally, organizations will want to ensure appropriate logging is enabled on their servers, and conduct increased auditing to determine if any unauthorized users are leveraging compromised credentials that may have already been leaked. As the credentials are legitimate, auditing serves as one of the best ways to identify anomalous activity. Auditors should be on the lookout for anything outside of the normal including logins for different geographic regions, extreme off hour activity, increase in outbound bandwidth usage, and other similar activity.
Responding to the security issue, Palo Alto Networks claims that its software is not vulnerable, and customers with a Threat Prevention subscription, and their users, are protected from Heartbleed. “We advise that all Threat Prevention users ensure they are running the latest content version on their device,” said the company.
Meanwhile, IceWarp has issued an update for its messaging server to protect its customers and Internet community from the vulnerability. The patch, created next day after the new vulnerability was identified, will prevent hackers from obtaining private keys, passwords and other credentials that open access to sensitive data.
IceWarp provided a patch version of SSL library for any Windows product to general public.