What is it? What impact can it have on your business? Should you be concerned? What can you do?
Heartbleed is a vulnerability that has been around for two years, but it was only discovered yesterday by two groups, one working at Google and another in Finland. I found out about it this morning when one of our writers posted a story about the Canada Revenue Agency proactively shutting down their site. By the time I got to work, interest in the story and coverage in the mainstream media was exploding. Information and disinformation abounds. Here’s what I know as of the time of publication.
What is it?
Heartbleed is a security vulnerability that is present in the transmission of information from a supposedly secure server. It occurs in what is called SSL (Secure Socket Layer) or TPS (Transport Layer Security). Essentially when two devices connect, the transmission of data between them is secured.
That process starts out with a “handshake” that establishes the secure connection. The vulnerability occurs at this point and exposes all of the information exchanged including certificates and passwords.
Where you see that little “lock” on the browser, it indicates that the transmission is using these protocols and that the transmission is securely encrypted. Or so we thought – until this morning. As it turns out there is a vulnerability in one of the libraries in a piece called Heartbeat – hence the name for the vulnerability called Heartbleed. Heartbleed allows a third party to intercept and extract the information that is vulnerable at this critical point. The very things that are being exchanged to protect you – passwords, encryption keys – all of these key items are vulnerable and can be intercepted potentially to be used to gain access to your supposedly secure information.
What is the impact?
It’s pretty severe. The point at which the vulnerability occurs gives away pretty much all of the information that is used to secure data transmission. Even what is in memory can be read and used. In the hands of the clever and unscrupulous, this information can potentially expose all of your supposedly secure data by giving away the keys and passwords that protect it.
It’s wide ranging. It occurs in what is called OpenSSL which is used on over two thirds of the servers on the Internet. It’s been around for almost two years before it was detected on April 7.
It leaves no trace. You only know that a site is vulnerable. But since any intrusion would happen using proper passwords and keys, there’s probably no way to know if a site has actually been compromised. It’s widely reported that Yahoo and Flickr were among the affected sites.
It’s hard to imagine a worse exposure than this.
Bruce Schneier, CTO of Co3 Systems and a fellow at Harvard University’s Berkman Center has said “On a scale of 1 to 10, this is an 11.”
Should we panic?
No. This vulnerability has been there for two years. It is severe and needs to be addressed, but as I stated, all the major websites have taken action. If someone has already exploited this weakness you will never know. It won’t leave any trace. The data, if any, that someone has gathered is impossible for you to deal with. Concentrate on the future.
What should a business do?
If you are running servers that are vulnerable, update Open SSL, get a new public/private key pair and update your SSL certificate – in that order.
Then you should change critical system and other highly sensitive passwords.
And you should warn employees to ensure that they check a server before they connect to it. The test that everyone is referring to can be found at http://filippo.io/Heartbleed/
CRA made the choice to shut down until it fixed the vulnerability. I’m not sure that’s possible or even necessary for many businesses, but if you have highly sensitive information on your site, it’s an option to consider.
There is a patch and it is widely available. Over the next few days, all of the major sites should be downloading and installing the updated software. They will then need to update their certificates. The major sites will probably be through this process in the next couple of days.
What can an individual do?
The latest advice is to change all of your passwords. That’s not a bad thing to do. You should change your passwords on a regular basis anyway. And you should have a range of passwords – don’t use the same password for everything. I have a firm rule that social media passwords are never the same for our corporate systems. And passwords should be difficult to guess.
Password managers like LastPass are probably a good trade off. They allow you to have separate secure passwords for each application or system without having to remember them all. As best I know, LastPass was not affected by this vulnerability. If you have another provider check with them to see if they are vulnerable.
But this won’t protect you if you continue to connect to sites that are vulnerable. Test the sites you use http://filippo.io/Heartbleed/
Be careful before you panic. I know that some links are only checking to see if you are running software like Apache that might be vulnerable. We got a false positive on the lastpass.com link. But the filippo.io link (above) gave the correct information.
After that – for individuals and companies, do what you should be doing anyway. Monitor credit card invoices carefully and check any unusual charges. Keep a close watch on your system logs.
Don’t panic. But don’t be afraid to ask questions.
This is severe, but it’s not the first major vulnerability nor will it be the last. You need to educate yourself, be careful with your own security and watch for any evidence of intrusion or hacking.
If you have major systems that store sensitive data, you need to question your provider to see what they know and what they have done. You can check their sites with the tools listed above. Be sensitive – check their website to see if there is any information – chances are they will be scrambling to get this done if they are small or mid-size. The big players should have already sprung into gear.
The mark of a good provider or partner is not necessarily that they are invulnerable. Nobody is, nor can you expect it. But you can expect that they pay attention to security and that they are open, clear and honest when discussing it with you.
We’ll try to update you as information becomes available. In the meantime, please use comments to add questions you may have. We’ll attempt to answer them.
Jim Love is the CIO of IT World Canada and can be reached on Twitter @CIOJimLove