Vulnerabilities / Threats // Advanced Threats
4/10/2014
04:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Heartbleed Will Go On Even After The Updates

What's next now that the mindset is 'assume the worst has already occurred?'

The fallout from the Heartbleed bug likely will be felt for a long time, but the immediate and urgent questions top of mind are which sites and products are affected, and which have been fixed. Then what? The scary reality is that even after a site or product is patched and users have changed their passwords, Heartbleed will not be over.

It is impossible to discern whether nation-states or well-funded cyber-criminals had already known and exploited the flaw for the past two years it's been in circulation in OpenSSL. This bug has also a long tail that spreads to internal networks, applications, and some mobile devices. Digital certificates have been exposed, and what was once a reliable and secure connection, SSL, has been compromised.

"OpenSSL is more than websites: it's server communications, products shipped with black boxes... those are going to take a while to update. Heartbleed is going to have a long-term affect and the industry is going to have to work pretty hard to fix it," says Barrett Lyon, founder & CTO of Defense.Net, a DDoS mitigation firm. "People are getting very diligent and updating things very quickly... But there are always going to be stragglers."

Dan Kaminsky, the security expert who discovered and coordinated the patching of the DNS caching flaw in 2008, says the Heartbleed disclosure represents a whole different ballgame. Kaminsky, who is co-founder and chief scientist at White Ops, says it's traditionally been the case where a bug is found, and the message is now go and fix it.

"In the case of Heartbleed, the presumption is that it's already too late, that all information that could be extracted, has been extracted, and that pretty much everyone needs to execute emergency remediation procedures," Kaminsky said today in a blog post. "It's a significant change, to assume the worst has already occurred."

Adam Vincent, CEO of Cyber Squared, says Heartbleed is a "security-changing event" with far-reaching repercussions. First, cyber-espionage actors are able to decrypt any encrypted information siphoned via this flaw. "They can find and retrieve the private key of a server that encrypted the traffic to begin with. If they have one to ten years' worth of traffic and were using that same private key, then they have encrypted content and have the private key to decrypt it," Vincent says.

Sophisticated and well-heeled cyber-criminals could target corporations or government agencies by using Heartbleed to gain a foothold into a vulnerable, internal server, Vincent notes. They can write a program that collects information from that server. Bad actors likely already are at work exploiting this:  "I wouldn't be surprised if some sophisticated organization started pointing a sensor at vulnerable websites while [the site operators] were hustling to get them protected -- capturing as much information as they can on a large scale," he says. "The question is, how long have the bad guys known about [Heartbleed]?"

What to do now
The list of affected sites is a moving target, but several major sites have revealed their statuses. Amazon.com, Twitter.com, HootSuite, and LinkedIn were not affected by the flaw, but Pinterest, Tumblr, and Yahoo are. Mashable has a checklist of the status of major sites here.

Google says it has patched Google Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine prior to the Heartbleed announcement on Monday. Google Chrome and Chrome OS, and the newest Android versions are immune. Android 4.1.1 is affected by the bug, according to Google, and its partners are receiving patch information.

Google Cloud SQL, Compute Engine, and Search Appliance are in the process of getting patched, according to Google. Facebook, meanwhile, patched prior to the Heartbleed disclosure. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites," a Facebook spokesperson said.

Amazon Web Services was affected and has been updated.

Several networking vendors have released updates for products using the doomed OpenSSL version, including Cisco Systems, Juniper Networks, and F5 Networks. Software vendors RedHat, Sophos, and VMware have affected products. A full list and links to vendor updates is available from Carnegie Mellon CERT.

In an analysis of cloud providers susceptible to Heartbleed, Skyhigh found that 368 cloud providers -- including top backup, human resources, security, collaboration, ERM, and storage providers -- had not updated their software 24 hours after the Heartbleed patch was issued.

Meanwhile, experts say, keep calm. Be aware that spammers already are using Heartbleed as a lure for spam and phishing emails about changing passwords, and don't rush to change passwords until the Heartbleed-affected site, service, or vendor, has confirmed that it has patched for the OpenSSL flaw and has a new digital certificate.

There's now a free third-party Google Chrome browser extension available called Chromebleed that screens websites for vulnerability to Heartbleed vulnerability.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stephenq42
50%
50%
stephenq42,
User Rank: Apprentice
4/17/2014 | 10:09:14 PM
We must assume the worst
This flaw has been in circulation for years (plural).  It could have been exploited by anyone during that time.

It is unbelievable that nobody discovered this flaw until last week, especially since the source code is freely available.  There are many smart bad guys out there.

Everyone who is known to be affected must assume that all encrypted communication using keys stored or accessed via OpenSSL are compromised.

I agree that the repercussions will be felt for years.  
AKessler
100%
0%
AKessler,
User Rank: Strategist
4/14/2014 | 2:06:15 PM
Protect Against Zero-day vulnerabilities
This may seem alarming to some but intelligence agencies are in the business of discovering, purchasing, and otherwise exploiting vulnerabilities. There are countless individuals and organizations that discover and sell zero-day vulnerabilities. Responsible disclosure practices are what allow customers to protect themselves against zero-day vulnerabilities. Many organizations who purchase zero-day vulnerabilities on the open market vet those from whom they purchase zero-day vulnerabilities and require that the researcher who finds the zero-day lives by responsible disclosure rules.
uribe100
50%
50%
uribe100,
User Rank: Apprentice
4/14/2014 | 10:35:20 AM
100%
It is 100% sure that Malsubjects will continue to use the Heartbleed Bug as one of the many tools in their toolbox to continue stealing information from out-of-date systems!
Tim Silverline
50%
50%
Tim Silverline,
User Rank: Apprentice
4/12/2014 | 12:06:17 PM
Re: We need proof
CloudFlare has now admitted that two hackers have accomplished the feat:

 

http://www.theverge.com/us-world/2014/4/11/5606524/hacker-successfully-uses-heartbleed-to-retrieve-private-security-keys

 

https://www.cloudflarechallenge.com/heartbleed
SgS125
50%
50%
SgS125,
User Rank: Strategist
4/11/2014 | 3:56:00 PM
Re: We need proof
And they say they have put up a site for others to try and crack, so far no one has found any keys.  I can't seem to find anyone that can show a proof of concept where they have gotten the private keys yet.

Plenty of other data can be grabbed, but without the key to decrrypt it what do you get?

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/11/2014 | 3:43:51 PM
Re: We need proof
CloudFlare just put up an interesting post looking at this very topic...how it's doable to grab the private key, but not easy. Basically, what Rob Graham of Errata Security said. http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
SgS125
50%
50%
SgS125,
User Rank: Strategist
4/11/2014 | 2:32:17 PM
We need proof
Has anyone anywhere been able to show that the private keys can actually be obtained?

Even the proof of concept excercises have not shown that any private keys can be obtained.

Please provide some providence for the claim that private keys have been compromised or even can be obtained.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio