It's been one week since the massive Heartbleed flaw was disclosed publicly and websites began frantically patching, but the potential danger of the bug being used to hack into businesses' internal networks and steal their data could last for years to come.
The attention initially focused on patching public-facing websites and protecting user credentials from Heartbleed, as well as sites' digital certificates. But the long-term ramifications of the Heartbleed encryption flaw in the widely deployed open-source OpenSSL library are slowly coming into focus: how cyberspies and sophisticated cybercrime gangs can or already have used the bug to infiltrate an organization's intranet servers, network devices, client machines, and VPN servers in order to steal valuable data.
"The immediate focus should have been on the perimeter and external websites. But the long-term devastation and real cost is from the internal [network] perspective," says Rob Seger, distinguished engineer at Palo Alto Networks. "Being able to steal all the data carte blanche is, in my opinion, a more lasting and negative" outcome of Heartbleed.
The list of potentially vulnerable internal assets is massive -- everything from internal web servers for mission-critical internal applications to SSL-enabled services such as FTP over SSL, VOIP phones, printers, VPN servers, and VPN clients. "The reality is that it's going to take 4-5 years minimum for the larger enterprises to clean this up," assuming they know where all their vulnerable SSL-based services and products reside in the network, Seger says.
Identifying and patching those internal Heartbleed-vulnerable systems will take time, and in many cases, not everything will get patched. Some lower-profile devices may not ever receive vendor patches, security experts say, and legacy systems could get lost in the patch shuffle.
A VOIP phone, for example, could be exploited to listen in on calls, and data within documents coming off a printer would be at risk of interception. Client machines, meanwhile, are vulnerable via a Heartbleed exploit service they connect to, which could collect data from those machines, experts say.
"This made it so a script kiddie can leverage APT-level attacks... by stealing a Python script off the web, he can do things only APTs can do," Palo Alto's Seger says.
Heartbleed is an implementation flaw in OpenSSL Versions 1.0.1 and 1.0.2 beta that leaks the contents of the memory from the server to the client and vice versa, potentially exposing passwords, other sensitive data -- and the SSL server's private key. OpenSSL developers inadvertently introduced the flaw in those versions of the open-source code at their release two years ago, but it was only recently that researchers at Google and Codenomicon discovered and reported it.
OpenSSL released a patch a week ago for the bug in the Transport Layer Security protocol's "heartbeat" extension, an extension to the protocol that checks on the site to which it is connecting to ensure it's connected and can respond. An exploit using the bug would allow an attacker to siphon up to 64 kilobits of server memory at a time.
The discovery of Heartbleed comes at a time when the security and privacy communities have been lobbying heavily for wider SSL adoption, reacting to revelations of widespread surveillance by the National Security Agency.
"We still don't have definite consensus on how bad this [Heartbleed] is yet," says Damon Rouse, director of IT for the defense and government contractor Epsilon Systems.
Rouse, who says his organization is mostly a Windows environment and so is not as widely affected by Heartbleed as some larger organizations, has spotted some false positives in his network pointing to Heartbleed attack activity. "We've seen a couple of false positives with some IPS rules we have put in place" on the network. One alert turned out to be a backup vendor's OpenSSL implementation that required a patch, which came the next day, he says.
Businesses and other organizations are beginning to take a close look at their internal web server interfaces, VPN concentrators, and other internal systems using SSL for encrypted sessions. "I have a red team group, and our collective feel is that this is something within organizations that has got a long-tail effect that's going to linger for years to never for some products that may have versions that may never receive a vendor patch," says George Baker, director of professional services at the managed security services firm Foreground Security. "This is a great vector for an advanced attack -- for a phish or a beachhead."
So how can organizations protect their internal networks from the potential bloodletting of Heartbleed?
Segment your internal network with virtualization. A flat architecture makes it too easy for attackers to move around laterally and get to targeted information, experts say. "Create logical barriers, especially around data centers," says Raj Shah, director of cybersecurity for Palo Alto Networks.
"If you can segment those networks internally, even if a patch is not available for a phone, or an embedded device, for example, you can move it to a place where laptops and systems that don't need to connect to it are segmented and segregated. Segregating internal network space is a huge risk reduction for an advanced attack," Foreground's Baker says.
Those VLANs can be set up via router access control lists or stateful firewalls, he says.
IPSes and data leakage protection systems should be updated to detect Heartbleed-type attacks, as well, and web application firewalls can help. "Usually, in these cases, it takes a while to understand you've been compromised," says Motty Alon, director of security solutions at Radware.
Heartbleed is a game-changing security event, Alon says. "It's something like what happened to airport security after 9/11. It will change all of the things we know, and there will be" multiple stages to the response.
Meanwhile, at least one anti-DDoS service provider says its service thwarts Heartbleed. Barrett Lyon, founder and CTO of Defense.Net, says his DDoS mitigation service automatically inspects traffic flows and validates protocols, and checks for oddities -- "if you connect in a strange way to an SSL server and the connection is not actually coming with it as if it's a web browser," for example.
Lyon says some companies may have to toss out equipment that can't be patched for Heartbleed. "We're going to hear from vendors we haven't heard from in a long time. It's going to have a ripple effect."