The Internet is buzzing about one of the most widespread vulnerabilities seen in ages. The bug is called "Heartbleed" and it directly impacts all servers, network appliances and other devices that use OpenSSL 1.0.1 branch are vulnerable up to version 1.0.1g. When exploited, Heartbleed allows attackers to read server memory in 64K chunks. This can allow a determined attacker to download and map a large portion of protected server memory, which may include sensitive data like private keys, usernames, passwords, credit card numbers and more.
How does a server bug effect individuals?
Why does this matter to you if you don't run a server? Because we all rely on them for our every day activities online, including, but not limited to accessing web sites, e-mails, instant messaging and more. Think of your online bank account, credit card and other sensitive accounts as the highest priority targets for hackers. This vulnerability has actually existed for well over a year in the wild and was only publicly discovered and addressed (by some vendors) this week.
The amount of time the vulnerability has existed is quite important, because one can only assume that every OpenSSL 1.0.1 secured communication during this period of time, as well as the servers facilitating them may have been compromised. That means that even though you may not operate your own server, you do still interact with them on a daily basis. And most of those servers require authentication. Many of them store sensitive and communicate data. This means that even though you may not have felt any impact yet, there could be a massive attack on compromised accounts in the works.
What can I do to defend myself?
My recommendation is to change every single password you use. Assume they have all been compromised. Do not share passwords between multiple websites or user accounts as that significantly weakens your security. Use complex passwords that don't spell words (even with numbers and varying capitalization). Word-based passwords are much, much easier to guess!
Vendors may also issue patches that do not change the version number, but fix the bug. To test if your server is vulnerable you may consider using this Heartbleed bug scanner. Any servers you see that are vulnerable should be avoided until they are patched. DO NOT log on to a server that is not patched or you may put your account at greater risk. Instead call customer service, report the problem and ask them to disable your account until it is fixed. Or change the password over the phone if you feel comfortable doing that.
What if I do have a server or network appliance using OpenSSL?
Your first stop should be your vendor's security vulnerability disclosure web site. Many vendors will show you exactly what has been patched, when and give you methods to install the patch or links to download it. Others may still be working on a patch. Just because your vendor has not listed a new patch for this bug does not mean your device is not vulnerable. OpenSSL is widely used for securing a lot of different types of connectivity, meaning you may find that devices you didn't expect are vulnerable, such as routers, network appliances, load balancing servers and proxies.
If you cannot upgrade to a secure version of OpenSSL, consider disabling SSL temporarily. After all, the bug itself is much more dangerous than the protection that SSL offers. We also recommend revoking and reissuing any SSL certificates that were used so that private keys are regenerated.
Your immediate action plan as a result of this security issue should be:
- Change ALL your online passwords and USE A DIFFERENT PASSWORD on each web user account that you use.
- TEST your server(s) with the Heartbleed bug scanner.
- CHECK THE STATUS of your server vendor's efforts to patch this vulnerability.
About the author
Alexander G. Chamandy is a seasoned information technology professional with more than two decades of experience in the industry. He is a managing member of Envescent, LLC, a business IT solutions provider serving the Washington, DC area.