'Heartbleed Bug' Exposure: International Change Your Password Day?

By Peter Bernstein April 09, 2014

Here is a number that is sure to live in infamy, CVE-2014-0160.

It is the official reference number for what has not so affectionately been named the “Heartbleed Bug,” a reference to the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This is what we all commonly seen by us as https, what is supposed to an indication that we are on a secure Web site.

If you have been on the Internet scanning the news, you can’t avoid all of the stories saying that yesterday the Finnish security firm Codenomicon discovered that OpenSSL, used by many servers worldwide to encrypt sensitive personal information (usernames, passwords, credit card numbers, security challenges, medical records, etc.), has been open for bad-guy business for quite some time.

What we do know at the moment is an estimated 500,000 servers are subject to being compromised. What we do not know is whether any of them have been. What we also know is that once those with malicious intent have literally the keys to the vault, we all could have been exposed.

Aside from the Target data breach, this could turn into one of the biggest security exploits in years. As a result of this revelation, security professionals from around the world have all said that given the potential for havoc, changing the passwords on any of the services or sites we all use needs to be done. They emphasize that this needs to be done sooner rather than later. In fact, they are recommending today. In short, as the headline says, today probably should be called, “International Change Your Password Day.” In a word, YIKES!

Image courtesy heartbleed.com

This is really nasty stuff. As Codenomicon says, “We have tested some of our own services from an attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business-critical documents and communication.”

It gets even more concerning. Not only can our personal information be swiped, but hackers can obtain copies of the encryption keys and use them to impersonate legitimate servers or to decrypt data on the move.

How bad is Heartbleed?

So how bad is Heartbleed. Here is what a few security pros have to say.

Password/privileged identity management expert Philip Lieberman, president of Lieberman Software stated, “This is very bad, and the consequences are very scary now that it has been disclosed. The fact that this code is on home and commercial Internet connected devices on a global scale means that the Internet is a different place today.”

Unstructured data governance expert Jonathan Sander, strategy and research officer, STEALTHbits Technologies commented that: "Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it. Having common technology is typically viewed as a good thing. But it can also lead to assumptions. People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”

Encryption and tokenization expert Mark Bower, VP of product management and solution architecture, Voltage Security noted, “While ‘Heartbleed’ presents clear and present risk of exploit and active attack to systems to steal data, the big danger is to systems that have been relying on secure communications for things like key and credential exchange since the first affected version of OpenSSL was deployed. So affected entities need, in particular, to consider the external use of affected versions of OpenSSL in use, and establish what might have been transported and been potentially at risk in past SSL sessions with client systems or other servers. That itself might be very difficult, and requires consideration for changing transported credentials, certificates or monitoring other sensitive data which if exposed could lead to secondary compromises, theft, or further malware infestation.

Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasizes the need to take a different approach to data protection above and beyond SSL – for example, encrypting the data well before it enters and exits the SSL tunnel so that even if the transport is compromised, the data itself has no value to an attacker. This ‘data-centric’ or end-to-end protection model can reduce the need for SSL in the first place in some cases, and also protect data well beyond where SSL starts and stops. And for cases where SSL plays a critical and essential role, use transport mechanisms that are unaffected or patched against this particular risk as soon as possible.”

Read all about it

Codenomicon created a web site (http://heartbleed.com) to provide the latest information on the bug and to provide security professionals details on what to think about and do.  In addition, the popular web site Lifehacker has provided information for us mere mortal users about Heartbleed, but be forewarned, what they are saying is, “Unfortunately, there's not much you can do about this. The only way to fix this problem is for the vulnerable sites to update OpenSSL and reissue their security certificates.”

While some pros are saying that changing passwords might not be the best thing to do given what we do not know, and with the Lifehacker advice not providing much solace since it appears we need for those controlling the exposed servers to act, I have already spent several waking hours taking care of my online banking and other sensitive sites I visit including Facebook, Twitter, Google, and a few others. It is something you might wish to consider.  I, for one, do not want to fit the description that there is no fool like an April fool.

Edited by Rory J. Thompson
Related Articles

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More

Putting the Flow into Workflow, Paessler and Briefery Help Businesses Operate Better

By: Cynthia S. Artin    9/14/2018

The digital transformation of business is generating a lot of value, through more automation, more intelligence, and ultimately more efficiency.

Read More

From Mainframe to Open Frameworks, Linux Foundation Fuels Up with Rocket Software

By: Special Guest    9/6/2018

Last week, at the Open Source Summit, hosted by The Linux Foundation, the Open Mainframe Project gave birth to Zowe, introduced a new open source soft…

Read More

Unified Office Takes a Trip to the Dentist Office

By: Cynthia S. Artin    9/6/2018

Not many of us love going to see the dentist, and one company working across unified voice, productivity and even IoT systems is out to make the exper…

Read More

AIOps Outfit Moogsoft Launches Observe

By: Paula Bernier    8/30/2018

Moogsoft Observe advances the capabilities of AIOps to help IT teams better manage their services and applications in the face of a massive proliferat…

Read More