A serious vulnerability has been revealed that could give anyone access to private data on the web that’s supposed to be securely encrypted.
According to recent estimates, the Heartbleed SSL/TLS bug may be present in as many as two-thirds of all websites, at least those using OpenSSL to protect sensitive communications. That means financial transactions, medical info, personal data, pictures, passwords, attachments, chats and pretty much everything the world has been trusting the OpenSSL encryption library to protect is now vulnerable. And it’s been going on since 2011 when version 1.0.1 of the software was released. That is, if you’ve kept up with your updates. If you haven’t, then your OpenSSL version is likely vulnerable to a collection of older weaknesses.
The bug opens up access to the cryptographic software library used to provide communication security for web browsing, email, instant messaging, and some virtual private networks (VPNs). Attackers could take advantage to eavesdrop on conversations and steal data from web services to be used in later spear phishing attacks.
Unfortunately, that’s not all. The flaw can be exploited without prior knowledge or system-specific information and doing so leaves no traces in server logs. In other words, not only are sites currently running affected versions of the vulnerable software at risk, but once the encryption keys are stolen it’s possible to retroactively gain access to data. This may well be a boon to all the government agencies that have reportedly been surreptitiously recording SSL traffic in the hopes of later decrypting it.
The clean-up job and repercussions of this may well go on for months, but every company that manages sensitive information has a responsibility to address the issue as quickly as possible. To that end, I’ve put together a list of seven steps to follow.
7 steps to stopping the Heartbleed SSL/TLS bug
- Inventory all systems and servers running OpenSSL 1.0.1 and newer
- Upgrade to OpenSSL 1.0.1g or recompile with -DOPENSSL_NO_HEARTBEATS
- Revoke compromised keys and reissue new keys from the Certificate Authority
- Change user passwords and encryption keys
- All session keys and session cookies must be expired/invalidated
- All users of systems where SSL is in use must be informed of the potential for compromise
- Consider implementing perfect forward secrecy to protect against current and future attack
Beyond these technical steps, companies should consider the following best practices:
- Ensure that remediation efforts are carried out by qualified IT professionals
- Consider it a project – enforce accountability along with proper planning & documentation
- Aim for completeness – vulnerable OpenSSL distributions run on at least eight operating systems
- Take appropriate precautions to avoid business interruptions during the process
- Have the remediation efforts independently validated and get a written report
According to some estimates, the vulnerability has been known since March of 2012, which would be catastrophic, but from what I can see there’s currently no available evidence to indicate such an exploit has taken place. Either way, this situation should be considered very serious and remediation efforts should be prioritized.
UPDATE: See www.heartbleed.ca for more timely information about this vulnerability, including an update on the NSA’s role in the whole affair.