'Heartbleed Bug' Exposure: International Change Your Password Day?

By Peter Bernstein April 09, 2014

Here is a number that is sure to live in infamy, CVE-2014-0160.

It is the official reference number for what has not so affectionately been named the “Heartbleed Bug,” a reference to the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This is what we all commonly seen by us as https, what is supposed to an indication that we are on a secure Web site.

If you have been on the Internet scanning the news, you can’t avoid all of the stories saying that yesterday the Finnish security firm Codenomicon discovered that OpenSSL, used by many servers worldwide to encrypt sensitive personal information (usernames, passwords, credit card numbers, security challenges, medical records, etc.), has been open for bad-guy business for quite some time.

What we do know at the moment is an estimated 500,000 servers are subject to being compromised. What we do not know is whether any of them have been. What we also know is that once those with malicious intent have literally the keys to the vault, we all could have been exposed.

Aside from the Target data breach, this could turn into one of the biggest security exploits in years. As a result of this revelation, security professionals from around the world have all said that given the potential for havoc, changing the passwords on any of the services or sites we all use needs to be done. They emphasize that this needs to be done sooner rather than later. In fact, they are recommending today. In short, as the headline says, today probably should be called, “International Change Your Password Day.” In a word, YIKES!

Image courtesy heartbleed.com

This is really nasty stuff. As Codenomicon says, “We have tested some of our own services from an attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business-critical documents and communication.”

It gets even more concerning. Not only can our personal information be swiped, but hackers can obtain copies of the encryption keys and use them to impersonate legitimate servers or to decrypt data on the move.

How bad is Heartbleed?

So how bad is Heartbleed. Here is what a few security pros have to say.

Password/privileged identity management expert Philip Lieberman, president of Lieberman Software stated, “This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home and commercial Internet connected devices on a global scale means that the Internet is a different place today.”

Unstructured data governance expert Jonathan Sander, strategy and research officer, STEALTHbits Technologies commented that: "Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it. Having common technology is typically viewed as a good thing. But it can also lead to assumptions. People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”

Encryption and tokenization expert Mark Bower, VP of product management and solution architecture, Voltage Security noted, “While ‘Heartbleed’ presents clear and present risk of exploit and active attack to systems to steal data, the big danger is to systems that have been relying on secure communications for things like key and credential exchange since the first affected version of OpenSSL was deployed. So affected entities need, in particular, to consider the external use of affected versions of OpenSSL in use, and establish what might have been transported and been potentially at risk in past SSL sessions with client systems or other servers. That itself might be very difficult, and requires consideration for changing transported credentials, certificates or monitoring other sensitive data which if exposed could lead to secondary compromises, theft, or further malware infestation.

Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL – for example, encrypting the data well before it enters and exits the SSL tunnel so that even if the transport is compromised, the data itself has no value to an attacker. This ‘data-centric’ or end-to-end protection model can reduce the need for SSL in the first place in some cases, and also protect data well beyond where SSL starts and stops. And for cases where SSL plays a critical and essential role, use transport mechanisms that are unaffected or patched against this particular risk as soon as possible.”

Read all about it

Codenomicon created a web site (http://heartbleed.com) to provide the latest information on the bug and to provide security professionals details on what to think about and do.  In addition, the popular web site Lifehacker has provided information for us mere mortal users about Heartbleed, but be forewarned, what they are saying is, “Unfortunately, there's not much you can do about this. The only way to fix this problem is for the vulnerable sites to update OpenSSL and reissue their security certificates.”

While some pros are saying that changing passwords might not be the best thing to do given what we do not know, and with the Lifehacker advice not providing much solace since it appears we need for those controlling the exposed servers to act, I have already spent several waking hours taking care of my online banking and other sensitive sites I visit including Facebook, Twitter, Google, and a few others. It is something you might wish to consider.  I, for one, do not want to fit the description that there is no fool like an April fool.

Edited by Rory J. Thompson
Related Articles

Is 5G a Spectrum-eating Monster that Destroys Competition?

By: Fred Goldstein    6/15/2018

To hear the current FCC talk about it, 5G mobile service is the be-all and end-all of not only mobile communications, but the answer to most of the co…

Read More

FX Group Makes the Red Carpet Shoppable with Blockchain-Based mCart Marketplace-as-a-Service

By: TMCnet News    6/14/2018

mCart by Mavatar announces the launch of the world's first blockchain-based decentralized mCart marketplace by the FX Group.

Read More

Judge Gives AT&T-Time Warner Deal Green Light

By: Paula Bernier    6/12/2018

Federal judge Richard Leon gave the $85 billion deal the green light today - and without any requirements to sell off any parts of the company. He als…

Read More

A New Foundation for Evolving Blockchain As a Fundamental Network Technology

By: Arti Loftus    6/12/2018

There are now thousands of blockchains, and unless you are a cryptophile, you won't recognize most of them.

Read More