Last updated: 24 April 2014
This content was originally posted on our CloudEntr blog site April 11, 2014.
The dust is settling on what has been an explosive week in digital security. Just 96 hours ago, Codenomican and researchers at Google announced they had uncovered a major security threat affecting more than 66% of the web. Making CVE-2014-0160 or what they have nicknamed the Heartbleed Bug, is one of the largest security threats the World Wide Web has ever seen since it was developed in the early 90’s.
Now that some time has passed on the issue, we wanted to take the opportunity to expand on Wednesday’s post, reassuring our CloudEntr customers and partners we were in the ~36% of the web and not affected by the Bug, to dive into what exactly the implications of the Bug were and are.
And more importantly discuss what this means for your business and the actions you can take to secure it.
A quick recap – what the heck happened and why you should know about it.
So the gravity of the situation is, the bug is pretty serious or as renowned computer security expert Bruce Schneier put it, “On a scale from 1 to 10, this is an 11.” To give you some insight into why that is, let’s talk a bit about how transmitted information is secured on the web.
The underlying technology encrypting data that flows between your browser and a website you bank, shop, or conduct business on is called Transport Layer Security (TLS) or more commonly referred to as its predecessor, Secure Sockets Layer’s (SSL). This secure technology is represented in URL addresses by the “s” in HTTPS, indicating your communications with that particular site are encrypted. Meaning, third parties won’t be able to read any information sent or received. Here’s what it looks like for the CloudEntr login site:
SSL accomplishes this by turning your communication into a coded strain that has to be unlocked by a digital key. These sites use open-source software called OpenSSL. The Heartbleed vulnerability is in the OpenSSL software which was not cleverly engineered to be this way, but the result of a “mundane coding error”, according to cryptographer Matthew Green. Fortunately, the Bug is limited to versions 1.0.1 to 1.0.2-beta1, but unfortunately, these versions have seen widespread adoption due to the popularity of the software and two-year time-frame in which they were implemented, March 14, 2012 through April 7, 2014.
OpenSSL uses a message function which allows a system at one end of an SSL connection to communicate with servers, these messages are called heartbeats. The Heartbleed Bug makes it possible for cybercriminals to exploit servers running an affected version of OpenSSL and send a fraudulent information packet that appears as a heartbeat, but actually dupes the server into sending protected content stored within its memory and up to 64kb of it. If the hacker is clever enough, they can leak sensitive user information such as passwords and emails.
“Doing the attack repeatedly in a clever way can potentially leak entire encryption keys,such as the private SSL keys used to protect HTTPS traffic. If an attacker has access to a website’s private SSL key, they can run a fake version of the website and/or steal any information that users send, including passwords, private messages, and credit card numbers”, according to the Electronic Frontier Foundation.
So now that you know how many servers are affected, upwards of 66%, and how long the vulnerability has been around, 2 years, you may ask yourself why did this suddenly blow up on Monday? Simple, it became public.
What is the damage so far?
Well it really depends on how you define “damage”. The Bug has certainly affected a number of major sites that businesses use on a daily basis examples being Dropbox, Google Apps, and Yahoo. These properties have since made efforts to apply the appropriate patches and secure their sites, but the question is was any sensitive information leaked? As a validation of the announcement, many firms tested the exploit, one such being Fox-IT who claimed they were able to gather Yahoo username and password data through the vulnerability. The concerning factor is that there is really no way to know if a vulnerable systems were attacked pre-announcement and sensitive data leaked, because Heartbleed provides an attack vector for hackers that leaves no trace behind.
Since the bug is the product of a coding error, it is highly possible that hackers were not aware of the vulnerability until the announcement Monday as well. But you can be sure, the media attention and publication of exploit code will start a race by the black hat hacker community to build sophisticated attacks that can really do serious damage. So as of April 7th, everyone should assume that malicious hackers are hard at work exploiting Heartbleed, making it pertinent for businesses to secure themselves.
What does this mean for business and what can you do now to secure it?
The average company uses 20 or more cloud-based web applications such as Salesforce.com, Eloqua, and Google Analytics, to name a few, for day-to-day business critical tasks. These are the particular services at risk with the Heartbleed Bug, meaning, your businesses data secured by employee usernames and passwords for these properties could be at risk. Due to the popular habit of login reuse across applications and the blurring of business and consumer user personas, the risk could spread beyond compromised services to sites using these same logins.
Because there is the potential to have your data compromised, doesn’t mean that it has been or will be, although it is important to be vigilant. For that purpose, we have outlined recommended actions to eliminate your vulnerability and reduce your risk:
Eliminate your vulnerability AKA stop the bleeding.
If your company operates a web service or site, it is important you eliminate the vulnerability for not only your business but your customers and partners.
- Check to see if your server is vulnerable or running an OpenSSL version 1.0.1 to 1.0.2-beta1. More detail here on affected versions.
- Upgrade to OpenSSL 1.0.1g and patch your systems.
- Revoke your current, request a new one, and replace the SSL certificate.
- Communicate to any users you might have and reset all passwords.
For information on this process check out this PC World article.
Some hardware out there such as routers, firewalls, or internet networking devices also run embedded versions of the OpenSSL software, therefore are possibly vulnerable. Check with the manufacturers of your hardware as to which products were affected and if/how the OpenSSL 1.0.1g patch will be applied. Here is a list of major vendors who have provided security updates on their products and their recommended fixes: Cisco, Synology, Juniper Networks, F5 Networks, FortiGuard, and Linksys.
Reduce your risk.
To reduce your businesses risk it is important to take action to secure your organization.
1. Determine your exposure – If you have an internal identity and access management (IAM) system or password manager managing your cloud apps, jump on there and pull a report of all the services and apps your company’s users have in their vaults. And if you don’t, well better get a pen and paper out and start making a list of the critical services your company uses online. By now most large web services should have gone through the above process to confirm and patch any vulnerabilities, but it is still wise to access whether the web apps and services your company utilizes have taken the proper measures to solve any vulnerabilities before you take action. Check out customer communication from the site via email, blog, Twitter, or official statements to the media. If there has been crickets from the site, enter the URL in this online tool built by cryptologist Filippo Valsorda or if you prefer this same tool in browser add-on form, Chromebleed will notify you when you visit a site affected by Heartbleed.
To get you started, we have extracted the top 25 cloud-based business apps and services utilized by our customers and recorded whether they were compromised by the Bug, if they have secured their service, and our recommended action to make the process a little less painful.
Source: Mashable, Github, official customer statements, and direct communication
2. Change your passwords – Only after you have confirmed your services have taken the proper precautions to secure their site, change all your passwords. If you or your organization uses common passwords across sites, change the passwords for those services as well. Cybercriminals today have sophisticated tools that make them very skilled in the matching game of identities and credentials across properties, allowing them to gain access to multiple of your accounts. To avoid this in the future, practice good password hygiene with strong passwords, unique to each site.
3. Enable multi-factor authentication – Enable a simple feature that acts as second security gate preventing unauthorized access by simply asking for more than your password at login. MFA requires “something you know” such as your password and “something you have” like a smartphone. One implementation of this is a code sent to your phone which you enter after entering your login, others automate this process through a mobile app. Unfortunately not all sites on the web offer this but there are those such as Google, LinkedIn, and WordPress. MFA is also available at an aggregated level for an IAM system or password manager.
4. Educate and incite action in your employees – You can make large time investment in reducing your risk when it comes to the Heartbleed Bug, but without your employees on board it’s like fixing only half the fence. Employees are the front lines of any organization and deal with company data, credentials, and infrastructure on a daily basis. Corporate breaches are on the upswing and research reveals the number one culprit is employee negligence. We encourage you to make your employees aware of the possible threat as a result of Heartbleed and strongly encourage them to act on points 1 and 2. This could be a simple email to your organization, like the below example:
It may seem overwhelming to change a large majority of your passwords and take these 4 steps, but the effort is worth the reward to reduce risk for your company. Breaches can cause significant pains with loss of IP, data, and hard earned revenue. Those of you managing logins on spreadsheets, post it notes, or even by memory, the effort doesn’t have to be quite as painful. There are secure single sign on solutions that conveniently aggregate and secure you and your employees’ logins all in one place, accessible across devices. Full disclosure, CloudEntr is a secure single sign on solution but however, you do it, we hope you take this opportunity to spring clean and secure access to your businesses logins.