The potential danger of the heartbleed bug

warningThe recently announced SSL heartbleed bug has the potential for being one of the most significant security threats that the Internet has faced in the last decade. This bug affects about 60% of the servers on the Internet and, although unlikely, could have resulted in the loss of every password and private key used on these systems!

What is known Today

  1. A hacker exploiting this bug can potentially obtain the user name and password of anyone who has logged on to a vulnerable server. They can also obtain the private keys used to verify the authenticity of the system itself.
  2. Knowledge of this exploit was not widely known until this week but there is evidence that it was known and exploited by some in the hacker community before the announcement was made. How wide the compromise has been is currently unknown. Complicating matters is the fact that this exploit leaves no evidence of intrusion in any logs making it unlikely that the extent of past compromises will ever be known.
  3. Patches have been released by many vendors (and many major sites have already been patched but there are many products for which confirmation of the vulnerability is not yet known.
  4. While a few major sites have already installed patches, the majority of affected systems remain vulnerable at this time.
  5. Any account that has been used on an unpatched and vulnerable system during the last two years has been potentially compromised.

 

What should users of affected systems do?

 

  1. DO NOT LOG IN TO VULNERABLE SITES UNTIL THEY HAVE BEEN PATCHED!
  2. DO NOT CHANGE PASSWORDS UNTIL YOU CAN VERIFY THAT THE SITE HAS ALREADY BEEN PATCHED FOR THIS BUG!
    1. This bug is now widely publicized and widely known in the hacker community. Exploits of this bug will escalate exponentially until systems are patched and any new login or password changes carry a far greater risk of compromise!
  3. When a vulnerable system has been patched, change your password. If you have used the same password on any other sites (even if the other site was not vulnerable) change those passwords too.

What should be done by those in IT who manage vulnerable systems?

  1. Identify all vulnerable systems.
    1. Any system that uses an unpatched openSSL libraries (version 1.01) are vulnerable. This includes webservers, VPN servers, TLS/SMTP encryption, management interfaces on appliances, servers, etc…
  2. Immediately patch any vulnerable system (beginning those that are exposed to the Internet).
  3. Remember cloud based applications used by your users are also potentially vulnerable and any IP stored on these systems is also vulnerable.
  4. After patches have been applied, expire ALL passwords on affected systems.
  5. Audit all accounts on affected systems; verifying that no new accounts have been created.
  6. WARNING: The longer a system remains unpatched, the more potential there will be for a compromise. Once a system has been compromised a hacker can add backdoor accounts, root kits, etc… that will help them maintain access after patches have been installed!

For more information on the details of this bug

The Advisory

List of affected vendor products

Detailed description of the vulnerability

Heartbleed test website

Note: The tests for the Heartbleed vulnerability can only tell if a server is currently vulnerable. If you logged into a machine before it was patched you should still change your password. Additionally, when pools of servers are providing services, it is important to wait until all of the servers have been patched before attempting a login or password change.

 

 

 

 

 

 

“Like” Harvesting: What is it? Why does it matter?

facebook LikeWe have all seen facebook posts similar to the one with a cute little girl holding a sign that reads “My dad said that if I get a million ‘likes’ he will buy me a puppy.” While these posts appear innocent, they rarely are. Most of these posts are intended to gain enough “likes” to raise Facebook’s score for the page associated with the post. The higher score these pages have gained allows these pages to have much broader distribution when they post the subsequent advertising; sometimes these pages are offered for sale to other advertisers looking for the broad distribution of their adds (even though this is prohibited by facebook’s policies). Realize that most of the time you are not helping a little girl get a puppy,¬† encouraging a child with cancer that people care for him, or encouraging a handicap person to run a marathon; you are allowing yourself to be targeted with advertising you almost certainly did not want. While participation in a “like” harvesting scheme will result in nothing more than receiving annoying (and possibly offensive) ads, other internet SCAMS can have much more severe consequences.¬†Always realize that there just may be malicious motives behind the seemingly innocent requests you receive. In the anonymous world of the Internet, it is always best to approach requests from those you do not personally know with a great deal of suspicion.