by Bob Snyder
What any AV integrator needs to know about Heartbleed. What You Need to Do...500,000+ Web Sites Affected... Maybe Yours...Maybe Your Customers…
Heartbleed, the newly discovered Internet flaw breaking
the heart of the web industry and giving consumers heart attacks, affects a half a million or more web sites. That's right, 500,000+ affected.
Why do we say "affected" and not "infected?" You’ll have to read on to learn why. We are not being cute—it’s just complicated.
Engineers working for the Finland-based security firm Codenomicon were exploring new features for their new security test software when they discovered the bug-heard-'round-the-world that affects websites that use OpenSSL, a security software that supposedly protected users' data and passwords.
A researcher from Google Security independently discovered the error at the same time.
You can recognize SSL protected sites because they begin with "https" (that "s" was once for "secure") and usually display a "padlock icon" indicating their belief the site is extra secure.
That’s right: web sites which are not marked “S” for secure are more secure than ones indicated as secure. Go figure…
Codenomicon’s tests showed something was wrong with OpenSSL's "Heartbeat" extension which normally checks whether a connection is secure like when exchanging data for passwords or credit card numbers.
They found a flaw in the Heartbeat that could "bleed" extraneous data that any hacker using a simple script. (Now you get why it is called “Heartbleed…”
Heartbleed is particularly dangerous because OpenSSL is used across a majority of the Internet, so the bug likely affects every Internet user in one way or another.
Heartbleed is hard to detect because intruders can attack at an early phase of communication: essentially, a data thief can rob the building before the locks are put on the doors. You would not necessarily even know you were robbed.
And that's why we say "affected" and not "infected." Nobody knows if data was leaked or not. The discovery of a flaw does not mean anyone has exploited it... (Although reports suggest the American spy agency NSA listed this exploit among its tools of trade).
In fact, there is a gap, a risky time between when the Good Guys announce a flaw to be corrected and the time it takes to be fixed. The Bad Guys learn the same way we do and can rush to exploit--when it was previously totally unknown to them.
The industry, by calling attention to the flaw, paints a target on every website-- and creates a Gold Rush for villains. This is happening at the very moment as Canadian Mounties recently arrested a 19-year old hacker trying to use the newly-known vulnerability to obtain information from the Canadian revenue service (CRA).
Ironically Codenomicon discovered that even the version of OpenSSL being used to power their company's own test protocol suite was leaking data.
Codenomicon patched its own servers and then brainstormed. A discovery like this makes a security company famous.
The company had internally named the bug "Heartbleed," so it purchased the domain name heartbleed.com from a music lyrics site (another site no doubt stricken by the SSL bug).
Codenomicon created a logo to represent the bug, and began writing to the world about the problem, a problem that will also make their company famous, which also makes some other firms jealous.
If Codenomicon caught the SSL flaw before thieves exploited it, the industry should be grateful. If they caught it after the exploit, the industry should still be thankful. In either case, they have rendered a true service. They are now heroes in the security industry. But being a hero is not easy…
For example, Reuters quotes a founder of the famous Def Con conference on IT security who expressed frustration because his conference email and Web traffic vulnerability is now publicly announced on the Internet by others-- but he can't protect these exposed assets until Intel releases a patch.
Def Con's network uses an enterprise firewall from McAfee (owned by Intel Corp's security division) that use affected versions of OpenSSL.
Was the bug a malicious flaw?
Nope, the guy who made the mistake has come forward and admitted his error that created the bug.
It turns out the bug was introduced in OpenSSL by a volunteer, German programmer Dr. Robin Seggelmann. The code was added on New Year's Eve in 2011 and no-one spotted the mistake until earlier this month.
Dr. Seggelmann said the flaw was missed by him and also by a reviewer, another volunteer. Dr. Seggelmann says the mistake itself was 'trivial', but its effect is “clearly severe.”
Who is affected and what do you look for?
Experts claim 66% of all internet sites have this vulnerability. Certainly some of the most important sites in the world had it-- up until a few days ago. Yahoo, Facebook, Google and the Who’s Who in web site attraction…
You can expect up to 66% of your clients may have this problem with their web sites. That is just an average so you could have ZERO or 100% of your clients with bad web sites. And not just home pages…these could be sites used for corporate video (internal or external), video or unified collaborations, digital signage, social media (internal or external), remote workers, or more…
And it is not just web sites. We need to think also about printers, wireless access points, routers, switches—many of these IP devices and others use OpenSSL as a way for the device to communicate via a browser interface.
Remember one of the biggest trends in AV is the integration of mobility? How many things we control today in AV via our smartphones and smart tablets…The Lacoon Mobile Security Research team conducted an assessment of more than 100,000 popular mobile applications and found that various enterprise apps, such as Mobile Device Management (MDM), Secure Wrappers and Firewalls, are indeed affected.
While larger web companies such as Twitter and Google have already said they've patched their web site issues, other types of devices, from set-top boxes to traffic lights, may not ever get fixed because their systems are hardly ever updated.
Business owners can be held liable for any data breaches if they do not act reasonably to protect consumers, so that puts pressure on AV integrators to make sure they and their customers take steps to fix a site's "lock."
Apple confirms all of its devices and web services are safe from the bug and that its devices never used the problematic software.
Google admits Android 4.1.1 is exposed but it is working with phone makers to patch devices using "Jelly Bean."
What if your business site or your customer’s is affected?
Don’t panic, but proceed methodologically. Make a list of all your sites. The OpenSSL project has addressed the Heartbleed issue in its newest versions, so fixing it can be a simple upgrade for most businesses.
An online "Heartbleed test" has been created to determine if a site (or server) is vulnerable to the Heartbleed flaw.
Contact all your customers and explain (if anything that is the first step that might keep you out of a lawsuit if you are responsible for their sites,) Tell them about your own new security measures and recommend password changes AFTER the patches. There is little point in rushing to do it before the sites have patched and updated, otherwise your new passwords will also be exposed to the same vulnerability.
For an excellent example, look at Important Security Update from Scala regarding “Heartbleed”.
Anyone running a vulnerable version of OpenSSL should upgrade immediately and then create new private keys. There’s no way to tell if you have been attacked so you should assume the worst. This should be at the top of every company’s to-do list.
If your own web people or web supplier can't fix this, you may want to consider a partnership with an IT security integrator nearby.In exchange for fixing you, you'll refer your client list. Between the two of you, you can arrange for a Security Audit.
Do not focus only on external-facing servers, or even on only your own servers. You should also make a list of business partners, (including any vendor or distributor where you share financial transactions…) Make sure you check their sites and educate them on the seriousness of this bug in their IT infrastructure.
Security is in everybody’s best interest. Security solution providers will use their expertise to offer a service to customers and potential customers…an audit to access vulnerability and a program to cure. You may be able to partner with a local IT integrator that specializes in security.
It’s an IT industry mess that needs cleaning up, but AV companies must control their own risks:
- Your sites can be affected: please check and fix if necessary
- Your customers can be affected: alert them, then double-check their status, and avoid risk in any transaction
- Your suppliers can be affected: alert, then double-check, and avoid risk in your mutual transactions
- If you have clients where security is imperative, also check their IP chain of devices for vulnerability. (You could actually ask money for this as a service.)
- Check your own IP devices. Let’s say you installed and maintain a digital signage network for a customer: a job where you don’t want to wake up one morning and find hacked messages on your public network. Or let’s say you have an executive meeting room that can be controlled by an Android 4.1.1. device. The risk is not just financial. For example, hackers can be pranksters, corporate spies (competitive intelligence) or even vindictive employees (who want to embarrass or harass your client).
While the tendency is to think Heartbleed is a security issue only for IT and web companies, we hope we have convinced you the security risks are real for all.
You may want your own IT staff (or outsourced IT staff) to help you clean up your own shop but security is only as good as the weakest link. That means you should watch your back with partners, suppliers and customers. And you will want to recognize any possibility of security vulnerabilities in your work with your clients.