Vulnerabilities / Threats // Advanced Threats
4/10/2014
04:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Heartbleed Will Go On Even After The Updates

What's next now that the mindset is 'assume the worst has already occurred?'

The fallout from the Heartbleed bug likely will be felt for a long time, but the immediate and urgent questions top of mind are which sites and products are affected, and which have been fixed. Then what? The scary reality is that even after a site or product is patched and users have changed their passwords, Heartbleed will not be over.

It is impossible to discern whether nation-states or well-funded cyber-criminals had already known and exploited the flaw for the past two years it's been in circulation in OpenSSL. This bug has also a long tail that spreads to internal networks, applications, and some mobile devices. Digital certificates have been exposed, and what was once a reliable and secure connection, SSL, has been compromised.

"OpenSSL is more than websites: it's server communications, products shipped with black boxes... those are going to take a while to update. Heartbleed is going to have a long-term affect and the industry is going to have to work pretty hard to fix it," says Barrett Lyon, founder & CTO of Defense.Net, a DDoS mitigation firm. "People are getting very diligent and updating things very quickly... But there are always going to be stragglers."

Dan Kaminsky, the security expert who discovered and coordinated the patching of the DNS caching flaw in 2008, says the Heartbleed disclosure represents a whole different ballgame. Kaminsky, who is co-founder and chief scientist at White Ops, says it's traditionally been the case where a bug is found, and the message is now go and fix it.

"In the case of Heartbleed, the presumption is that it's already too late, that all information that could be extracted, has been extracted, and that pretty much everyone needs to execute emergency remediation procedures," Kaminsky said today in a blog post. "It's a significant change, to assume the worst has already occurred."

Adam Vincent, CEO of Cyber Squared, says Heartbleed is a "security-changing event" with far-reaching repercussions. First, cyber-espionage actors are able to decrypt any encrypted information siphoned via this flaw. "They can find and retrieve the private key of a server that encrypted the traffic to begin with. If they have one to ten years' worth of traffic and were using that same private key, then they have encrypted content and have the private key to decrypt it," Vincent says.

Sophisticated and well-heeled cyber-criminals could target corporations or government agencies by using Heartbleed to gain a foothold into a vulnerable, internal server, Vincent notes. They can write a program that collects information from that server. Bad actors likely already are at work exploiting this:  "I wouldn't be surprised if some sophisticated organization started pointing a sensor at vulnerable websites while [the site operators] were hustling to get them protected -- capturing as much information as they can on a large scale," he says. "The question is, how long have the bad guys known about [Heartbleed]?"

What to do now
The list of affected sites is a moving target, but several major sites have revealed their statuses. Amazon.com, Twitter.com, HootSuite, and LinkedIn were not affected by the flaw, but Pinterest, Tumblr, and Yahoo are. Mashable has a checklist of the status of major sites here.

Google says it has patched Google Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine prior to the Heartbleed announcement on Monday. Google Chrome and Chrome OS, and the newest Android versions are immune. Android 4.1.1 is affected by the bug, according to Google, and its partners are receiving patch information.

Google Cloud SQL, Compute Engine, and Search Appliance are in the process of getting patched, according to Google. Facebook, meanwhile, patched prior to the Heartbleed disclosure. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites," a Facebook spokesperson said.

Amazon Web Services was affected and has been updated.

Several networking vendors have released updates for products using the doomed OpenSSL version, including Cisco Systems, Juniper Networks, and F5 Networks. Software vendors RedHat, Sophos, and VMware have affected products. A full list and links to vendor updates is available from Carnegie Mellon CERT.

In an analysis of cloud providers susceptible to Heartbleed, Skyhigh found that 368 cloud providers -- including top backup, human resources, security, collaboration, ERM, and storage providers -- had not updated their software 24 hours after the Heartbleed patch was issued.

Meanwhile, experts say, keep calm. Be aware that spammers already are using Heartbleed as a lure for spam and phishing emails about changing passwords, and don't rush to change passwords until the Heartbleed-affected site, service, or vendor, has confirmed that it has patched for the OpenSSL flaw and has a new digital certificate.

There's now a free third-party Google Chrome browser extension available called Chromebleed that screens websites for vulnerability to Heartbleed vulnerability.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
stephenq42
50%
50%
stephenq42,
User Rank: Apprentice
4/17/2014 | 10:09:14 PM
We must assume the worst
This flaw has been in circulation for years (plural).  It could have been exploited by anyone during that time.

It is unbelievable that nobody discovered this flaw until last week, especially since the source code is freely available.  There are many smart bad guys out there.

Everyone who is known to be affected must assume that all encrypted communication using keys stored or accessed via OpenSSL are compromised.

I agree that the repercussions will be felt for years.  
AKessler
100%
0%
AKessler,
User Rank: Strategist
4/14/2014 | 2:06:15 PM
Protect Against Zero-day vulnerabilities
This may seem alarming to some but intelligence agencies are in the business of discovering, purchasing, and otherwise exploiting vulnerabilities. There are countless individuals and organizations that discover and sell zero-day vulnerabilities. Responsible disclosure practices are what allow customers to protect themselves against zero-day vulnerabilities. Many organizations who purchase zero-day vulnerabilities on the open market vet those from whom they purchase zero-day vulnerabilities and require that the researcher who finds the zero-day lives by responsible disclosure rules.
uribe100
50%
50%
uribe100,
User Rank: Apprentice
4/14/2014 | 10:35:20 AM
100%
It is 100% sure that Malsubjects will continue to use the Heartbleed Bug as one of the many tools in their toolbox to continue stealing information from out-of-date systems!
Tim Silverline
50%
50%
Tim Silverline,
User Rank: Apprentice
4/12/2014 | 12:06:17 PM
Re: We need proof
CloudFlare has now admitted that two hackers have accomplished the feat:

 

http://www.theverge.com/us-world/2014/4/11/5606524/hacker-successfully-uses-heartbleed-to-retrieve-private-security-keys

 

https://www.cloudflarechallenge.com/heartbleed
SgS125
50%
50%
SgS125,
User Rank: Strategist
4/11/2014 | 3:56:00 PM
Re: We need proof
And they say they have put up a site for others to try and crack, so far no one has found any keys.  I can't seem to find anyone that can show a proof of concept where they have gotten the private keys yet.

Plenty of other data can be grabbed, but without the key to decrrypt it what do you get?

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/11/2014 | 3:43:51 PM
Re: We need proof
CloudFlare just put up an interesting post looking at this very topic...how it's doable to grab the private key, but not easy. Basically, what Rob Graham of Errata Security said. http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
SgS125
50%
50%
SgS125,
User Rank: Strategist
4/11/2014 | 2:32:17 PM
We need proof
Has anyone anywhere been able to show that the private keys can actually be obtained?

Even the proof of concept excercises have not shown that any private keys can be obtained.

Please provide some providence for the claim that private keys have been compromised or even can be obtained.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.