Advertisment

Heartbleed Bug... It Hurts

author-image
Onkar Sharma
New Update

"My heart bleeds for you," is a hyperbolic expression of sympathy being used since ages. Yet, the expression or now an idiom certainly may have not garnered as much limelight as today. There is a twist in the tale. In today's technology-driven world, this expression is keeping the CISO (chief information security officer) and IT teams on tenterhooks. The heartbleed bug has enfeebled millions of websites globally.

Advertisment

"It is important to understand that heartbleed is not a virus, but rather a mistake written into OpenSSL-a security standard encrypting communications between you, the user, and the servers provided by a majority of online services. The mistake makes it viable for hackers to extract data from massive databases containing user names, passwords, and other sensitive information," defines Gary Davis, Vice President of consumer marketing at McAfee in his blog on the company website. The mistake has taken toll on the world's top websites. The bug is expected to affect two-thirds of all websites.

To assume that we are not affected by the bug is perhaps an illusion. "If you use the Internet, it is all but guaranteed that you have been impacted in some fashion by the heartbleed bug. While reports have stated various numbers of sites potentially exposed to heartbleed-as many as two-thirds of all sites on the Internet using SSL/TLS-we can safely say that no corner of the Internet is untouched by this bug," says Subroto K Panda, CISO & CIO at Anand And Anand, a law firm in India.

As of April 10, 2014, there were total 611 websites under .in domain which were vulnerable. A Trend Micro study found vulnerability in mobile applications. The main reason and possibility of the bug affecting the smartphone is that the mobile apps are also connecting to online servers and services to complete various functions.

Advertisment

A note from a security expert explains it precisely: "Suppose you're just about to pay for an in-app purchase, and to do so you need to input your credit card details. You do so, and the mobile app finishes the transaction for you. While you're getting on with your game, your credit card data is stored in the server that the mobile app did the transaction with, and may stay there for an indeterminate period of time. As such, cybercriminals can take advantage of the heartbleed bug to target that server and milk it of information (like your credit card number)."

It also scanned almost 390,000 apps from Google play and discovered that around 1,300 apps are connecting to vulnerable servers. Thus, the magnitude of the bug is much larger in scale than imagined. "We need to understand the gaps in the system and fix them so that cybercriminals do not have leeway. Heartbleed bug is a potential gap," suggests Karnika Seth, a cyber law expert and lawyer.

Who's Affected

Advertisment

Since the web is the digital economy hotspot for thousands of internet companies including Yahoo!, Amazon, Twitter, Facebook, among others, the hug certainly seems to have laid open the fissures of the online security. According to Mashable, the companies such as Facebook, Pinterest, Instagram, Tumblr, Google, Yahoo!, Gmail, Amazon Web Services, GoDaddy, Flickr, Minecraft, NetFlix, Sound Cloud, Youtube, among others were affected by the heartbleed bug.

"This weakness allows stealing information that is normally encrypted by SSL/TLS encryption. Over 66% of the Internet's web servers use the OpenSSL library. The good news is that only some versions of the OpenSSL are affected," says Sivarama Krishnan, Executive Director, IT Risks & Controls, PwC India.

Since it is a reason to worry and take necessary steps to secure your websites before the data is stolen, it is important that you atleast know if your website is affected by the heartbleed bug. Security companies such as McAfee and Trend Micro, among others are offering tools that help you identify this bug available in your website.

Advertisment

You can check whether your website is affected by this bug or not at this link:: http://www.mcafee.com/heartbleed. In addition, One of the company working on security issues and threat analysis has released a mobile app on the Google Play story ‘Heartbleed Detector' that claims to identify if any app or website that you are using or may use is affected.

But these are not a fullproof tools to identify vulnerability in the website. It is better an expert advise it taken. However, Krishnan suggests, "System administrators can check if a system is vulnerable by locally logging into the server and identifying the OpenSSL version number. Additionally, systems can be checked by scanning for the vulnerability."

Reverse Heartbleed

Advertisment

It is just a few week that the bug has been discovered but is around for more than two years. From the websites you use on a daily basis to devices like IP phones and routers, millions of devices and sites rely on OpenSSL to provide secure communications. "In fact, Heartbleed potentially impacts many users and devices other than servers. Researchers have demonstrated ‘reverse' Heartbleed POCs that provides the potential for a malicious server to attack a client instead of a client attacking a server," reveals Ankit Fadia, a renowned ethical hacker.

Security experts further outline that Reverse Heartbleed (www.reverseheartbleed.com) can be used to check clients for potential heartbleed issues. "If the sites say that the sites you checked are fixed, go ahead and change your password. If they aren't fixed yet: Hang tight, don't panic. Many companies and sites should have processes in place to deploy updates to codes that runs their infrastructure. They should also have in place security solutions such as IPS to mitigate any attempts by an attacker to exploit heartbleed before a complete fix can be deployed. If you can avoid using those sites until they are fixed, you should do so," further cautions Fadia.

Preventing a Heartbleed Exposure

Advertisment

"While we can't protect yourself from this specific issue, we can take some steps to protect ourselves from effects that this issue might have. "Ideally Open SSL version 1.0.1g or newer should be used. Use of appropriate testing methods can help system administrators identify vulnerabilities and take remedial actions. The fix is there. Organizations need to get up to speed to assess and mitigate any risks," further suggests Krishnan of PwC.

Joseph from Fortinet shares his checklist for enterprises. According to him, on the server side of the equation, there are multiple things you should do as a best course of action to provide the highest level of security to your employees, users and customers:

  • Ensure you have appropriate IPS signatures deployed to monitor and mitigate any potential attacks on your infrastructure. Fortinet issued a Hot Update to our customers with IPS signatures to detect and prevent Heartbleed attacks. In situations such as this, our threat research teams are able to respond to urgent or immediate security incidents promptly to protect our customers (and our customers' customers) from exploitation.
Advertisment
  • Determine the extent of the bug in your systems: how many systems are you using that use OpenSSL? How many of those are using OpenSSL 1.0.1 through 1.0.1f?
  • Deploy the patch as soon as possible to all systems affected.
  • If it is determined that your systems were impacted by Heartbleed, you may want to consider revoking all of your certificates/keypairs used, and have your Certificate Authority issue replacements. While it is still uncertain as to the feasibility of an attacker successfully obtaining your secret key through Heartbleed, current research is unable to completely eliminate the possibility. For many companies, replacing all of their certificates in their PKI is a massive task - but a very necessary one: due to the silent nature of the attack and the amount of time the bug has existed, you may want to assume that your secret keys have been compromised and are no longer secret.
  • Force all users to reset their passwords upon next login.
  • For cases where you are working with customers who use your web assets, send an email to them outlining your current fix status and directing them to your site to change their passwords. Remember though: use best security practices when crafting your email-don't send a password reset link through email. Phishers and malware authors will undoubtedly use this opportunity to trick unsuspecting users to visit copycat sites in the hopes of obtaining credentials or installing malware.
  • Have your PR team make a public statement, both on your site and through your social media channels-reassure your users that you have fixed the issue and it is safe to use your services again. It is much better to address your response to Heartbleed than it would be to remain quiet and have your users question your response.
  • Finally, you should do an internal post-mortem analysis of all systems affected and the information handled by those systems in order to determine the type of information that was exposed and possibly leaked. Your risk assessment teams should react accordingly.
Advertisment