Wipfli Alerts & Updates: Weakness in “secured” websites may cause data leak
April 10, 2014
On April 7, security researchers identified a flaw in a popular software library that puts nearly two-thirds of all secured websites at risk, possibly including your organization’s site. The weakness allows attackers to steal encrypted information such as bank transactions, usernames, passwords, and secure communications. The flaw is known as the “Heartbleed bug,” and system administrators should take the steps below to ensure their system’s information is not vulnerable to compromise.
What is Heartbleed?
The Heartbleed bug is a serious vulnerability in the very popular OpenSSL cryptographic software library, utilized on an estimated two-thirds of the Internet. This bug allows attackers to steal information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This encryption provides security and privacy over the Internet for applications such as websites including banking sites, e-mail, instant messaging, and some virtual private networks (VPNs). The flaw was identified on April 7, 2014.
Am I affected by the bug?
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open-source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your banking websites, social networking sites, company's site, commerce site, hobby site, site you install software from, or even sites run by your government might be using vulnerable OpenSSL. You might have networked appliances with logins secured by this buggy implementation of the TLS.
Is this a big deal?
Absolutely, one must presume that cryptographic keys have been compromised and that encrypted sessions are at risk. The good news is there is not any indication that the bad guys had prior knowledge of this bug; it seems the researchers were the first to locate the problem. But the scary part is that everyone (good and bad) now has the knowledge and can infiltrate websites, extract the information they want, and leave no trace of their presence. Thus, it's hard to determine whether someone ever exploited the bug or whether your account information was compromised.
What versions of the OpenSSL are affected?
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
System administrators—Now what?
Priority attention should be given to any externally facing service running OpenSSL. This can be a secured website, a router login page, or a vendor’s portal. Check your historical Perimeter Vulnerability Assessment reports to assist with determining whether your systems are vulnerable. There are tools being published on the Internet that can help with detection of vulnerable systems. In addition, Wipfli Security Consultants can assist with identifying these systems upon request.
# openssl version –a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
Check with your trusted vendors to ensure their websites are patched and secure. Reset users’ passwords for sites you don’t control directly if affected.
Verbose vulnerability details can be viewed at http://heartbleed.com/.
If you find a vulnerable system you control:
Patch the system immediately to OpenSSL version 1.0.1g or later.
Revoke any certificates and regenerate, reissuing SSL keys.
Terminate any active user sessions, forcing password resets.
Follow incident response procedures notifying customers, alerting them they need to reset the passwords as a security precaution.
Consideration should be given to having an external vulnerability assessment performed after corrective actions have been taken to ensure that the vulnerability has been properly addressed.
User and employees—Safeguards
Reset passwords immediately for sites hosting personal information or financial records.
Ensure passwords are not shared among websites; consider the use of a password manager such as KeyPass or LastPass.
Where can I get additional help?
Given the seriousness of this security vulnerability, immediate action should be taken to ensure your organization’s websites are secure and don’t allow your data to be compromised. Should you need assistance, there are several sources on the Internet that can provide the needed information. In addition, Wipfli can provide technical assistance as well as perform a vulnerability assessment of your website to determine whether it is at risk of compromise.
Resource: Heartbleed Bug from Codenomicon – http://heartbleed.com
Neel Mehta of Google Security (discovery), Adam Langley and Bodo Moeller (fix)
In addition, Wipfli can provide technical assistance as well as perform a vulnerability assessment of your website to determine whether it is at risk of compromise. Please contact Paul Johnson at 651.766.2895 or firstname.lastname@example.org or your Wipfli relationship executive for further information.
Click here to sign up to receive future "Wipfli Alerts & Updates" email communications as they are released.