The Heartbleed Bug
Posted on | April 13, 2014 | Comments Off on The Heartbleed Bug
by 2bridges CIO, Ken Lombardi
I know there is a great deal of information about Heartbleed on the Internet but I wanted to take a couple of moments to quickly describe the issue, tell you what we at 2bridges Technologies have done to to insure the safety of clients using our services, and also to layout some steps that you can take to protect yourself as this problem evolves.
Briefly, the Heartbleed bug is simply a security vulnerability in one part of a recent version of OpenSSL (exploit in the heartbeat – hence heartbleed). OpenSSL software itself is used by a large number of services such as web servers, email services, and VPN tunnels. It is used to protect the transmission of logins, passwords and data as it travels across the open internet.
A software ‘tool’ has been built by some nefarious people to exploit this vulnerability, allowing certain information to be gathered from vulnerable servers very easily by anyone with the ‘tool’. Even though only a small amount of data can be gathered with each probe from the tool (64k), the bad guys just send the appropriate ‘request’ over and over again until they can gather lots of useful information to sell or reuse themselves. They get alot of junk but also logins, passwords, and keys used to encrypt data. Generally not a good thing.
At 2bridges Technologies we, along with many other companies offering services on the Interent, quickly responded to the release of this information by auditing our firewalls, switches, routers and servers to insure that the version of SSL in use was either not vulnerable or to insure that any patches required to protect against this exploit were installed and tested.
We were very fortunate and none of our internet based services were impacted. None of our firewall appliances are vulnerable to this bug and all of 2bridges hosted services have also passed with a clean bill of health. Our Microsoft based solutions do not use OpenSSL so have no attack surface at all in this case.
Sadly some other sites on the net were not as fortunate as 2bridges Technologies. A number of sites that realized they had been vulnerable have published that information so that their patrons would be aware and take appropriate measures. We should thank them for being fast acting and informing us and helping us protect our personal information. Some very straight forward steps should be taken by Internet users in these cases.
Here are some of those sites –
These services all seem have been patched:
1. Facebook
2. Instagram
3. Pinterest
4. Tumblr
5 . Twitter
6. Google
7. Yahoo
8. Gmail
9. Yahoo Mail
10. GoDaddy
11. Intuit Turbo Tax
12. Dropbox
13. Minecraft
14. OkCupid
A much longer list is available at GitHub
If you use any of these services the Department of Homeland Security has posted some valuable information concerning measures to take. See their blog at:
To quote them:
Many commonly used websites are taking steps to ensure they are not affected by this vulnerability and letting the public know. Once you know the website is secure, change your passwords.
Closely monitor your email accounts, bank accounts, social media accounts, and other online assets for irregular or suspicious activity, such as abnormal purchases or messages.
After a website you are visiting has addressed the vulnerability, ensure that if it requires personal information such as login credentials or credit card information, it is secure with the HTTPS identifier in the address bar. Look out for the “s”, as it means secure.
Two additional steps that you should take are:
1) Use two factor authentication whenever possible. Services like Google, Facebook, Twitter, LastPass and many others offer this feature. 2bridges will post an article in the near future to introduce this process in an “easy to understand” way. Current LastPass users can check all the sites they have in their database and get a list of those that require a password change.
2) Revoke and recreate personal access and application tokens that you might be using for Google, Yahoo, Pinterest, etc.
GitHub has been very involved in getting information to the public about this vulnerability and they have compiled a number of valuable lists. At this location they list the results of testing on one thousand websites on April 8th. https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
Several organizations and individuals have been kind enough to post tools that can determine if a site is vulnerable or not. These tools are very straight forward and easy to use. Just enter a site you are curious about and wait a moment for a report.
https://lastpass.com/heartbleed/
http://heartbleed.criticalwatch.com/
https://www.ssllabs.com/ssltest/
If you are interested in delving deeper into this issue and other security matters there are two places I can highly recommend.
Schneier on Security at https://www.schneier.com/
Krebs on Security at http://krebsonsecurity.com/
Both offer very interesting perspectives and sometimes eye opening information about security issues.