Heartbleed is Much Worse Than We Thought

April 17, 2014   //   Security, , , , ,

Every so often in information security a vulnerability is publicly disclosed that scares even the most seasoned security professionals, Heartbleed is one of those vulnerabilities. The Heartbleed bug concerns an implementation flaw of the Heartbeat function in OpenSSL. In short, Heartbleed takes advantage of a missed boundary check in a heartbeat reply from a system. The net effect enables an attacker to send a hearbeat request and get back more data than was sent. In this instance that additional data comes straight from the target’s memory and could include usernames, passwords, private keys, sessionIDs, credit card data, the list goes on and on.

What is particularly troublesome about this vulnerability is the wide array of systems it affects. At first glance the thought was that this only affects Linux servers which by default run OpenSSL. Quickly the community realized this traverses everything from tablets to routers all the way down to applications downloaded from the Android Play Store. The reality has become much clearer in the weeks following the initial release and security experts are warning that any device connected to a network and running OpenSSL is vulnerable to attack. It’s important to understand that this is not just a server vulnerability, clients are just as vulnerable if a server responds to its request with a malicious heartbeat of its own. Even worse we are now seeing large farms of systems in China actively scanning the entire internet IP space indiscriminately for vulnerable systems to exploit.

So what can we do to protect ourselves and how do we even know if we have a vulnerable device in the Internet of things that reside on our network? Fortunately, security vendors have worked quickly to offer mitigation products to block these attacks; IPS vendors specifically have released signatures for a variety of perimeter protection systems that can detect and block attacks. However these IPS systems will only go so far as malware is quickly being written to leverage this attack once it is phished into a network or via drive-by download. The only true fool proof mitigation is to patch your systems to the latest version of OpenSSL, currently 1.0.1g, or apply patches from your particular device vendor. Detecting vulnerable devices in your environment can be done with freely available tools posted online, but be careful which tools you use as it’s being reported that only 5% of the tools online are accurately detecting the flaw. One thing is certain – we are only in the beginning phases of this vulnerability lifecycle; experts are estimating that it will take years to patch all vulnerable devices and replace any compromised SSL certificates.

SWC is currently performing Heartbleed detection and remediation for customers. If you have questions about Heartbleed or other threats to your security, please contact SWC. We will also be hosting an online conference on Monday, April 21st at 11 AM to discuss Heartbleed and answer any questions you may have.

Additional resources regarding Heartbleed:

http://heartbleed.com/
http://techcrunch.com/2014/04/08/what-is-heartbleed-the-video/
https://filippo.io/Heartbleed/
http://www.theguardian.com/technology/2014/apr/16/heartbleed-bug-detection-tools-flawed

Related Past Posts

If you enjoyed this post, please take a moment to read some of our past posts about Security and Managed IT Services:

CryptoLocker Virus Tips – Take Action Now!
Security Awareness: Tips for Protecting Your Online Identity from Hackers
The Fundamentals of Cyber Security
Ask SWC: What Are Some Tips To Protect Your Network From Hackers?
SWC Managed Services – A More Strategic Approach to IT
SWC Discusses Target Security Breach On Telemundo News Broadcast