April 11, 2014
There are steps organizations can – and should – take now to minimize the potential damage from the newly discovered Heartbleed bug.
Earlier this week, a severe vulnerability was identified within the popular cryptographic software library OpenSSL. Banks, healthcare organizations, e-commerce sites – any organization conducting online transactions – that use certain versions of OpenSSL now know that their sites might have been severely compromised. It's quite possible that the encryption of data from their users’ devices to their Web servers – a fundamental mechanism that enables companies to conduct secure online transactions – was compromised, giving anonymous attackers access to the data stored in memory on the entities’ Web servers.
The Heartbleed vulnerability can enable attackers to read unauthorized memory content, allowing the attackers to:
- Retrieve confidential data, including user names and passwords, which the attacker can then use on other websites
- Retrieve secret encryption keys and eavesdrop on communications
- Impersonate services and users
The bug, the result of a small coding error,1 has been present in OpenSSL since December 2011 and was publicly released on March 14, 2012. OpenSSL is the most popular open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. According to Netcraft’s April 2014 Web Server Survey, two of the most notable software packages using OpenSSL constitute two-thirds of the market share of all active sites on the Internet.2
The Heartbleed vulnerability has affected major websites such as Amazon, Facebook, Google, and Yahoo; many smaller online businesses have been affected as well. The full impact of the bug may never be fully understood because neither organizations nor individuals can even know if they’ve been compromised. According to the New York Times, “Because the flaw would allow attackers to surreptitiously steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable web server, it was virtually impossible to assess whether damage had been done.”
The Heartbleed bug exploits a part of the OpenSSL software called the heartbeat extension. To protect their electronic assets and confidential user data, all online organizations should immediately take steps to reduce their exposure to the vulnerability’s potential effects.
An entity should begin by compiling a list of all its Internet-accessible systems and identifying which are vulnerable to the bug. According to a Forrester Research article, “It is important to scan all assets on your network for this vulnerability because it may not be readily apparent exactly which systems, applications, and devices in your environment leverage the OpenSSL cryptographic libraries.”3 Because only OpenSSL versions 1.0.1 and 1.0.2-beta (which includes 1.0.1f and 1.0.2-beta1) are affected, vulnerable systems should be upgraded to the patched version, OpenSSL 1.0.1g.
If specific systems cannot be upgraded immediately, the entity should recompile OpenSSL without the heartbeat extension, or it should implement rules for temporary iptables (a type of firewall) to block all heartbeat queries.
Because the Heartbleed flaw has existed for so long, organizations need to take extra precautions after applying corrective patches. Companies should work with their certificate authority to have their SSL certificates – which certify the companies’ credentials and verify the safety of their sites – revoked and then be issued new certificates. In addition, companies should change all their passwords associated with applications hosted by external servers.4
Principal, Risk Consulting Services
3 John Kindervag, Tyler Shields, Andras Cser, Andrew Rose, Ed Ferrara, Rick Holland with Stephanie Balaouras, Katherine Williamson, “Quick Take: Stem the ‘Heartbleed’: How to Fix a Broken OpenSSL Implementation and What to Do While Everyone Else Fixes Theirs," Forrester Research, April 11, 2014.
4 For additional information about the bug, see “The Heartbleed Bug,” http://heartbleed.com/.