The Heartbleed Exploit- What it means to you!

If you’ve seen the news, you've heard about Heartbleed. I’m referring to the vulnerability that was discovered in OpenSSL commonly known as Heartbleed.  This breach strikes at the heart of encrypted information transfers to the servers we all use every day.

The Heartbleed vulnerability exists in all default versions of OpenSSL going back as far as March 2012 which is a security component used in many secure web sites.  Some of the products that use OpenSSL are Apache, IIS, Cisco AnyConnect and even your home router.  In fact,  it’s harder to come up with a list of Web products that don't use OpenSSL than a list of those that do.

What exactly does this vulnerability do, and why is it so bad?

Basically, Heartbleed allows an attacker to abuse a normal function of SSL, known as the heartbeat. The vulnerability permits an attacker to read bits of memory on an affected device.  Merely connecting to a vulnerable server that uses OpenSSL and sending it a specially formed request is enough to trigger the vulnerability. This means that attackers can connect to a vulnerable server, keep the connection alive, and wait for something interesting to come to their way.

This may sound like a pretty weak exploit, because the attacker has no control over which specific parts of memory can be read, and no ability to change what is stored in the accessible locations. However, the exposure can’t be more severe. The contents of that compromised memory can include portions of  transactions the server has processed. This includes encryption keys, traffic received or transmitted by the server, login credentials, pieces of your database, and pieces of confidential documents transferred through the application or device. Essentially, anything that the vulnerable application or device has in its own memory has a chance to end up in the tiny window the attacker can read.

 So what does this mean, exactly? Here are the critical factors:

1.    Heartbleed-vulnerable applications are those applications that use the default release of the OpenSSL library and are using any vulnerable versions of the library.

2.    There are no reasonable limits on what information can be compromised. As long as it gets read by the application process, it is vulnerable.

3.    Attacks can be easily automated and distributed in order to make identifying possible attackers virtually impossible.

Unfortunately, any server that was vulnerable could have potentially been leaking information for the past two years. There is also little hope of determining if a server was breached in this way, or if a breach can be identified. You simply have no idea what sensitive data, if any, was leaked.

One thing is certain.  If you do not take measures now against this bug, you will be hacked sooner rather than later. The attack is simply too easy to perform, and too widespread for it not to become one of the most pervasive automated attacks ever.

If you own or run an Internet server, the patched version is available from OpenSSL’s website, and from all major vendors through their own respective software update systems.

If you’re concerned that a server you visited and used a password or accessed/transmitted any confidential data was vulnerable you should contract that web site owner to confirm that their site has been inspected and they have verified that this vulnerability has been addressed and fixed. 

 

It’s also time to change any of your passwords or security information at those site immediately.

 

Jeff Hoffman is an IT security consultant with ACT Network Solutions specializing in network security, management and data protection.  He can be reached at jhoffman@act4networks.com.