'Heartbleed Bug' Exposure: International Change Your Password Day?

By

Here is a number that is sure to live in infamy, CVE-2014-0160.

It is the official reference number for what has not so affectionately been named the “Heartbleed Bug,” a reference to the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This is what we all commonly seen by us as https, what is supposed to an indication that we are on a secure Web site.

If you have been on the Internet scanning the news, you can’t avoid all of the stories saying that yesterday the Finnish security firm Codenomicon discovered that OpenSSL, used by many servers worldwide to encrypt sensitive personal information (usernames, passwords, credit card numbers, security challenges, medical records, etc.), has been open for bad-guy business for quite some time.

What we do know at the moment is an estimated 500,000 servers are subject to being compromised. What we do not know is whether any of them have been. What we also know is that once those with malicious intent have literally the keys to the vault, we all could have been exposed.

Aside from the Target data breach, this could turn into one of the biggest security exploits in years. As a result of this revelation, security professionals from around the world have all said that given the potential for havoc, changing the passwords on any of the services or sites we all use needs to be done. They emphasize that this needs to be done sooner rather than later. In fact, they are recommending today. In short, as the headline says, today probably should be called, “International Change Your Password Day.” In a word, YIKES!

Image courtesy heartbleed.com

This is really nasty stuff. As Codenomicon says, “We have tested some of our own services from an attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business-critical documents and communication.”

It gets even more concerning. Not only can our personal information be swiped, but hackers can obtain copies of the encryption keys and use them to impersonate legitimate servers or to decrypt data on the move.

How bad is Heartbleed?

So how bad is Heartbleed. Here is what a few security pros have to say.

Password/privileged identity management expert Philip Lieberman, president of Lieberman Software stated, “This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home and commercial Internet connected devices on a global scale means that the Internet is a different place today.”

Unstructured data governance expert Jonathan Sander, strategy and research officer, STEALTHbits Technologies commented that: "Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it. Having common technology is typically viewed as a good thing. But it can also lead to assumptions. People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”

Encryption and tokenization expert Mark Bower, VP of product management and solution architecture, Voltage Security noted, “While ‘Heartbleed’ presents clear and present risk of exploit and active attack to systems to steal data, the big danger is to systems that have been relying on secure communications for things like key and credential exchange since the first affected version of OpenSSL was deployed. So affected entities need, in particular, to consider the external use of affected versions of OpenSSL in use, and establish what might have been transported and been potentially at risk in past SSL sessions with client systems or other servers. That itself might be very difficult, and requires consideration for changing transported credentials, certificates or monitoring other sensitive data which if exposed could lead to secondary compromises, theft, or further malware infestation.

Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL – for example, encrypting the data well before it enters and exits the SSL tunnel so that even if the transport is compromised, the data itself has no value to an attacker. This ‘data-centric’ or end-to-end protection model can reduce the need for SSL in the first place in some cases, and also protect data well beyond where SSL starts and stops. And for cases where SSL plays a critical and essential role, use transport mechanisms that are unaffected or patched against this particular risk as soon as possible.”

Read all about it

Codenomicon created a web site (http://heartbleed.com) to provide the latest information on the bug and to provide security professionals details on what to think about and do.  In addition, the popular web site Lifehacker has provided information for us mere mortal users about Heartbleed, but be forewarned, what they are saying is, “Unfortunately, there's not much you can do about this. The only way to fix this problem is for the vulnerable sites to update OpenSSL and reissue their security certificates.”

While some pros are saying that changing passwords might not be the best thing to do given what we do not know, and with the Lifehacker advice not providing much solace since it appears we need for those controlling the exposed servers to act, I have already spent several waking hours taking care of my online banking and other sensitive sites I visit including Facebook, Twitter, Google, and a few others. It is something you might wish to consider.  I, for one, do not want to fit the description that there is no fool like an April fool.


Edited by Rory J. Thompson
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

Can Science Outsmart Deepfake Deceivers? Klick Labs Proposes an Emerging Solution

By: Alex Passett    3/25/2024

Researchers at Klick Labs were able to identify audio deepfakes from authentic audio recordings via new vocal biomarker technology (alongside AI model…

Read More

Top 5 Best Ways to Integrate Technology for Successful Project-Based Learning

By: Contributing Writer    3/19/2024

Project-based learning, also popularly known as the PBL curriculum, emphasizes using and integrating technology with classroom teaching. This approach…

Read More

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More