Heartbleed's Never-Ending Drip, Drip, Drip
Apr 21, 2014 6:31 AM PT
The Heartbleed vulnerability in OpenSSL has sent just about everyone who uses the Web for fun or profit gibbering madly in search of a solution, creating fertile ground for spammers, scammers and marketing types.
Canada is in an uproar following a disclosure by the Canada Revenue Agency that a hacker had exploited Heartbleed to steal about 900 social insurance numbers from it over a six-hour span. Canadian authorities have charged a 19-year-old university student in connection with the action.
In the UK, parenting site Mumsnet was hacked, user accounts were hijacked, and 30 users' names and other information were published on Pastebin.
Several companies have launched tools claimed to help detect whether servers are affected by Heartbleed, but the majority of these tools are themselves flawed and indicate a system is not vulnerable when it actually is, according to Adrian Hayter, a security expert at CNS Hut3.
A Putative Fix
The OpenSSL Software Project has issued a fix, and recommends upgrading immediately to OpenSSL 1.0.1g, or to recompile OpenSSL and disable the Heartbeat functionality that caused the vulnerability.
However, "these options are only available to users who control their Web servers or their devices," Daniel Ingevaldson, CTO at Easy Solutions, told the E-Commerce Times.
OpenSSL "is embedded in millions of devices, apps and systems around the world," Ingevaldson pointed out. These systems must be upgraded through firmware provided by their manufacturers.
"If history is any lesson, when Internet-scale vulnerabilities are announced that require firmware updates, we can count on a persistently vulnerable population of devices," Ingevaldson continued. "This population may stay vulnerable for years, or until these devices become obsolete and are replaced."
The Pain Heartbleed Can Cause
If an attacker can hit a server and compromise a user's credentials or private keys for authenticating remote connectivity, the attacker could impersonate that user and gain access to the corporate network, John Miller, security research manager at Trustwave, told the E-Commerce Times.
Client applications depending on affected versions of OpenSSL are vulnerable to the same types of data disclosure as servers are, but the scope is "a bit more restricted, since exploiting a single client doesn't have the same impact as attacking a common server does," Miller said.
Hackers might try to coax users of client applications into connecting to a malicious server that "remains within the realm of a mildly sophisticated adversary."
Coping With the Mobile World
The proliferation of BYOD devices in the enterprise constitutes another point of attack for the Heartbleed vulnerability.
Cisco's AnyConnect for iOS, and Juniper's Junos Pulse (Mobile) for iOS 4.281 to 3.082 and higher, and Pulse (Mobile) for Android 4.281 to 5.083, are vulnerable to the flaw. Ironically, Pulse (Mobile) for iOS is vulnerable only if used in the United States federal government's FIPS mode, Juniper has warned.
One solution is for enterprises to leverage their mobile device management solutions to granularly control access to enterprise resources, Jeff Debrosse, Websense's director of security research, told the E-Commerce Times. This can be tied to policies that can be changed over time to reflect an upgraded security posture.
"If an organization isn't using a centralized policy management and enforcement solution, BYOD management will be a very difficult task, and new security concerns will exponentially increase that difficulty," Dubrosse suggested.
False Tools and Scammers
IT may be reluctant to use tools claimed to detect whether servers have been impacted by Heartbleed given Hut3's claim that most of these tools are in effect useless, while some are fakes put up to lure the unsuspecting to a malicious website, but there is a solution for this.
Reputation analysis tools, such as Websense's CSI: Ace Insight, can be used to confirm that the sites claiming to host Heartbleed detection tools are genuine, Dubrosse said.
Ordinary users won't gain anything by going to a website offering to test other sites for Heartbleed, Trustwave's Miller suggested.
"At best, the legitimate tools are performing an attack against a website they are not authorized to test, and at worst it could just be a ruse to spread malware or capture user information," he explained.
Admins responsible for managing an SSL-protected service can get tools to perform the tests themselves instead of turning to third parties, Miller said.
Precautions Users Can Take
Users who get emails warning them to reset passwords and include links should not click on the links, Trustwave's Miller said. They should manually enter the site's URL into their browsers instead.
Businesses should implement security awareness education training for their employees, and use antimalware technology designed to detect and filter out malware in realtime, Miller suggested.
They also should deploy other security technologies that can strengthen protection across all threat vectors -- networks, applications, databases, email, the Web, endpoints and point-of-sale systems. They should conduct frequent penetration testing and vulnerability scanning as well.
"Be skeptical of unsolicited advice, especially advice that warns of dire consequences for inaction," warned Easy Solutions' Ingevaldson.
"This vulnerability will have a very long tail. Vulnerability assessment teams, independent consultants and auditors will be very busy quantifying exposure to this vulnerability for some time," he remarked.
"There will be many more discoveries of additional systems vulnerable to Heartbleed in the coming months," Ingevaldson continued. "Unfortunately, many of these systems will be legacy, difficult to patch, or even impossible to patch."