Vulnerabilities / Threats // Advanced Threats
4/10/2014
04:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Heartbleed Will Go On Even After The Updates

What's next now that the mindset is 'assume the worst has already occurred?'

The fallout from the Heartbleed bug likely will be felt for a long time, but the immediate and urgent questions top of mind are which sites and products are affected, and which have been fixed. Then what? The scary reality is that even after a site or product is patched and users have changed their passwords, Heartbleed will not be over.

It is impossible to discern whether nation-states or well-funded cyber-criminals had already known and exploited the flaw for the past two years it's been in circulation in OpenSSL. This bug has also a long tail that spreads to internal networks, applications, and some mobile devices. Digital certificates have been exposed, and what was once a reliable and secure connection, SSL, has been compromised.

"OpenSSL is more than websites: it's server communications, products shipped with black boxes... those are going to take a while to update. Heartbleed is going to have a long-term affect and the industry is going to have to work pretty hard to fix it," says Barrett Lyon, founder & CTO of Defense.Net, a DDoS mitigation firm. "People are getting very diligent and updating things very quickly... But there are always going to be stragglers."

Dan Kaminsky, the security expert who discovered and coordinated the patching of the DNS caching flaw in 2008, says the Heartbleed disclosure represents a whole different ballgame. Kaminsky, who is co-founder and chief scientist at White Ops, says it's traditionally been the case where a bug is found, and the message is now go and fix it.

"In the case of Heartbleed, the presumption is that it's already too late, that all information that could be extracted, has been extracted, and that pretty much everyone needs to execute emergency remediation procedures," Kaminsky said today in a blog post. "It's a significant change, to assume the worst has already occurred."

Adam Vincent, CEO of Cyber Squared, says Heartbleed is a "security-changing event" with far-reaching repercussions. First, cyber-espionage actors are able to decrypt any encrypted information siphoned via this flaw. "They can find and retrieve the private key of a server that encrypted the traffic to begin with. If they have one to ten years' worth of traffic and were using that same private key, then they have encrypted content and have the private key to decrypt it," Vincent says.

Sophisticated and well-heeled cyber-criminals could target corporations or government agencies by using Heartbleed to gain a foothold into a vulnerable, internal server, Vincent notes. They can write a program that collects information from that server. Bad actors likely already are at work exploiting this:  "I wouldn't be surprised if some sophisticated organization started pointing a sensor at vulnerable websites while [the site operators] were hustling to get them protected -- capturing as much information as they can on a large scale," he says. "The question is, how long have the bad guys known about [Heartbleed]?"

What to do now
The list of affected sites is a moving target, but several major sites have revealed their statuses. Amazon.com, Twitter.com, HootSuite, and LinkedIn were not affected by the flaw, but Pinterest, Tumblr, and Yahoo are. Mashable has a checklist of the status of major sites here.

Google says it has patched Google Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine prior to the Heartbleed announcement on Monday. Google Chrome and Chrome OS, and the newest Android versions are immune. Android 4.1.1 is affected by the bug, according to Google, and its partners are receiving patch information.

Google Cloud SQL, Compute Engine, and Search Appliance are in the process of getting patched, according to Google. Facebook, meanwhile, patched prior to the Heartbleed disclosure. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites," a Facebook spokesperson said.

Amazon Web Services was affected and has been updated.

Several networking vendors have released updates for products using the doomed OpenSSL version, including Cisco Systems, Juniper Networks, and F5 Networks. Software vendors RedHat, Sophos, and VMware have affected products. A full list and links to vendor updates is available from Carnegie Mellon CERT.

In an analysis of cloud providers susceptible to Heartbleed, Skyhigh found that 368 cloud providers -- including top backup, human resources, security, collaboration, ERM, and storage providers -- had not updated their software 24 hours after the Heartbleed patch was issued.

Meanwhile, experts say, keep calm. Be aware that spammers already are using Heartbleed as a lure for spam and phishing emails about changing passwords, and don't rush to change passwords until the Heartbleed-affected site, service, or vendor, has confirmed that it has patched for the OpenSSL flaw and has a new digital certificate.

There's now a free third-party Google Chrome browser extension available called Chromebleed that screens websites for vulnerability to Heartbleed vulnerability.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stephenq42
50%
50%
stephenq42,
User Rank: Apprentice
4/17/2014 | 10:09:14 PM
We must assume the worst
This flaw has been in circulation for years (plural).  It could have been exploited by anyone during that time.

It is unbelievable that nobody discovered this flaw until last week, especially since the source code is freely available.  There are many smart bad guys out there.

Everyone who is known to be affected must assume that all encrypted communication using keys stored or accessed via OpenSSL are compromised.

I agree that the repercussions will be felt for years.  
AKessler
100%
0%
AKessler,
User Rank: Strategist
4/14/2014 | 2:06:15 PM
Protect Against Zero-day vulnerabilities
This may seem alarming to some but intelligence agencies are in the business of discovering, purchasing, and otherwise exploiting vulnerabilities. There are countless individuals and organizations that discover and sell zero-day vulnerabilities. Responsible disclosure practices are what allow customers to protect themselves against zero-day vulnerabilities. Many organizations who purchase zero-day vulnerabilities on the open market vet those from whom they purchase zero-day vulnerabilities and require that the researcher who finds the zero-day lives by responsible disclosure rules.
uribe100
50%
50%
uribe100,
User Rank: Apprentice
4/14/2014 | 10:35:20 AM
100%
It is 100% sure that Malsubjects will continue to use the Heartbleed Bug as one of the many tools in their toolbox to continue stealing information from out-of-date systems!
Tim Silverline
50%
50%
Tim Silverline,
User Rank: Apprentice
4/12/2014 | 12:06:17 PM
Re: We need proof
CloudFlare has now admitted that two hackers have accomplished the feat:

 

http://www.theverge.com/us-world/2014/4/11/5606524/hacker-successfully-uses-heartbleed-to-retrieve-private-security-keys

 

https://www.cloudflarechallenge.com/heartbleed
SgS125
50%
50%
SgS125,
User Rank: Moderator
4/11/2014 | 3:56:00 PM
Re: We need proof
And they say they have put up a site for others to try and crack, so far no one has found any keys.  I can't seem to find anyone that can show a proof of concept where they have gotten the private keys yet.

Plenty of other data can be grabbed, but without the key to decrrypt it what do you get?

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/11/2014 | 3:43:51 PM
Re: We need proof
CloudFlare just put up an interesting post looking at this very topic...how it's doable to grab the private key, but not easy. Basically, what Rob Graham of Errata Security said. http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
SgS125
50%
50%
SgS125,
User Rank: Moderator
4/11/2014 | 2:32:17 PM
We need proof
Has anyone anywhere been able to show that the private keys can actually be obtained?

Even the proof of concept excercises have not shown that any private keys can be obtained.

Please provide some providence for the claim that private keys have been compromised or even can be obtained.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?