The recently announced SSL heartbleed bug has the potential for being one of the most significant security threats that the Internet has faced in the last decade. This bug affects about 60% of the servers on the Internet and, although unlikely, could have resulted in the loss of every password and private key used on these systems!
What is known Today
- A hacker exploiting this bug can potentially obtain the user name and password of anyone who has logged on to a vulnerable server. They can also obtain the private keys used to verify the authenticity of the system itself.
- Knowledge of this exploit was not widely known until this week but there is evidence that it was known and exploited by some in the hacker community before the announcement was made. How wide the compromise has been is currently unknown. Complicating matters is the fact that this exploit leaves no evidence of intrusion in any logs making it unlikely that the extent of past compromises will ever be known.
- Patches have been released by many vendors (and many major sites have already been patched but there are many products for which confirmation of the vulnerability is not yet known.
- While a few major sites have already installed patches, the majority of affected systems remain vulnerable at this time.
- Any account that has been used on an unpatched and vulnerable system during the last two years has been potentially compromised.
What should users of affected systems do?
- DO NOT LOG IN TO VULNERABLE SITES UNTIL THEY HAVE BEEN PATCHED!
- DO NOT CHANGE PASSWORDS UNTIL YOU CAN VERIFY THAT THE SITE HAS ALREADY BEEN PATCHED FOR THIS BUG!
- This bug is now widely publicized and widely known in the hacker community. Exploits of this bug will escalate exponentially until systems are patched and any new login or password changes carry a far greater risk of compromise!
- When a vulnerable system has been patched, change your password. If you have used the same password on any other sites (even if the other site was not vulnerable) change those passwords too.
What should be done by those in IT who manage vulnerable systems?
- Identify all vulnerable systems.
- Any system that uses an unpatched openSSL libraries (version 1.01) are vulnerable. This includes webservers, VPN servers, TLS/SMTP encryption, management interfaces on appliances, servers, etc…
- Immediately patch any vulnerable system (beginning those that are exposed to the Internet).
- Remember cloud based applications used by your users are also potentially vulnerable and any IP stored on these systems is also vulnerable.
- After patches have been applied, expire ALL passwords on affected systems.
- Audit all accounts on affected systems; verifying that no new accounts have been created.
- WARNING: The longer a system remains unpatched, the more potential there will be for a compromise. Once a system has been compromised a hacker can add backdoor accounts, root kits, etc… that will help them maintain access after patches have been installed!
For more information on the details of this bug
Note: The tests for the Heartbleed vulnerability can only tell if a server is currently vulnerable. If you logged into a machine before it was patched you should still change your password. Additionally, when pools of servers are providing services, it is important to wait until all of the servers have been patched before attempting a login or password change.