Open Heartbleed Surgery

By

As you can probably imagine, being someone who is attempting to keep an eye and ear on the continuing Heartbleed bug (aka CVE-2014-0160), bug phenomena has become almost a full-time occupation. Let’s just say that my inbox is inundated almost hourly, and I feel an obligation to read each one. By the way, I can assure all of you who are sending me stuff I do read everything you send.

The good news is that remediation of almost all of the potentially exposed servers on public websites using the vulnerable OpenSSL for encryption has been implemented. Plus, there are lots of tools out there to help even the average user be more careful.  This means, it is safe to surf and safe to change your passwords on all those public places you go.

That said, it should be noted that public sites are not the only vulnerable ones. As the Dmitri Alperovitch, Co-Founder & CTO of security company CrowdStrike wrote in an insightful blog, announcing the availability of the free to everyone CrowdStrike Heartbleed Scanner, there is a lot more that needs to be considered. This is especially true if you are an IT security professional.


Source: CrowdStrike

Alperovitch explains, “We realized that there was a largely unmet demand for an easy to use UI tool capable of also scanning the internal networks and non-HTTPS services for this vulnerability since this problem is so much bigger than just external websites.” CrowdStrike’s Heartbleed Scanner addresses this important gap. Plus, the scanner outputs the contents of the 64kb of memory that a vulnerable server returns back to the heartbeat SSL request. This means you can see the extent of the impact of this vulnerability on your devices and services.

The new free tool enables scanning of Intranet SSL websites. It also allows for scanning of a host of other things including OpenSSL VPNs, Secure FTP servers, Databases, Secure SMTP/POP/IMAP email servers, routers, printers, phones, and anything else that may have been compiled with OpenSSL 1.0.1-1.0.1f.

As the company says, “Long story short, the Heartbleed vulnerability allows people to request chunks of memory from target servers.  This memory often contains keys, passwords or other juicy bits of information that would otherwise be inaccessible.  This affects certain versions of OpenSSL that allow anyone to specify how much information they want from the server – i.e. untrusted input in a leaky “heartbeat” function – thus the name.  Note that there’s also a client component that may also need to be addressed.”

The reason I plucked this item out of my overflowing inbox should be apparent. It reminds of one of my favorite hit songs by the Eagles, “Heartache Tonight,” which if you don’t have time to listen here is the first stanza and the refrain:

Somebody's gonna hurt someone
before the night is through
Somebody's gonna come undone.
There's nothin' we can do.
Everybody wants to touch somebody
if it takes all night.
Everybody wants to take a little chance,
Make it come out right.

There's gonna be a heartache tonight,
a heartache tonight, I know.
There's gonna be a heartache tonight, I know.
Lord, I know.  

Heartbleed, like so many of the malware that is out and about, can have greater impact than what was exposed in the first instance. What CrowdStrike rightfully is pointing out is don’t rest on your laurels and make sure everything that needs to be protected really cannot be compromised. The scanner is the right hammer for hitting all of the nails that need to be pounded to secure your enterprise. After all, even just one loose floor board can sink a ship if not properly secured. There does not have to be heartache tonight.




Edited by Alisen Downey
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

How to Protect Your Website From LDAP Injection Attacks

By: Contributing Writer    3/12/2024

Prevent LDAP injection attacks with regular testing, limiting access privileges, sanitizing user input, and applying the proper encoding functions.

Read More

Azure Cost Optimization: 5 Things You Can Do to Save on Azure

By: Contributing Writer    3/7/2024

Azure cost optimization is the process of managing and reducing the overall cost of using Azure. It involves understanding the resources you're using,…

Read More

Massive Meta Apps and Services Outage Impacts Users Worldwide

By: Alex Passett    3/5/2024

Meta's suite of apps and services are experiencing major global outages on Super Tuesday 2024.

Read More

The Role of Technology in Shaping the Future of Affiliate Marketing

By: Contributing Writer    3/5/2024

In the current rapidly growing digital world, affiliate marketing is still one of the most effective ways for businesses to increase their visibility …

Read More

The Steps You Can Take To Improve Customer Service For Your Business

By: Contributing Writer    3/5/2024

When you're in a competitive market, providing exceptional customer service is crucial for the success and growth of your business. Good customer serv…

Read More