A roadmap for triaging Heartbleed exposures

April 11th, 2014

By Byron Acohido, Last Watchdog

The acute notoriety of Heartbleed is a good thing in this sense: it ought to compel CIOs and CISOs to drill down on developing a roadmap for dealing with exposures that could run very deep.

The most worrisome aspect of Heartbleed arguably is the fact that  this gaping security hole is so pervasively embedded in the fabric of the  commercial Internet.  “There are a few protocols that dominate when it comes to the security and operation of the Internet as a whole, SSL/TLS is one of them.” says TK Keanini, CTO at Lancope.   “Everyone should have seen this coming.”

Companies and organizations ought to be scrambling over the next several days and weeks to triangulate and mitigate potential exposures relating to the wide use of the  OpenSSL encryption protocal recently shown to be dangerously squishy, from a security standpoint, observes  Dr. Mike Lloyd, CTO of RedSeal .  Top of mind should be the spectre of data thieves and cyber spies  hustling to exploit  the Heartbleed flaw in order to exfiltrate sensitive data, especially  private encryption keys, Lloyd says.

The potential for profound damage is such that a consensus is building in the security community that a  smart thing organizations should consider doing is stopping all transactions for a few days to do such an  assessment.

The mindset of IT security managers should be: “how fast can you identify unpatched machines and remediate them? Ideally you’d have a real-time map that can expose the vulnerabilities with a simple query or two to identify what’s been affected by Heartbleed, and what’s exposed,” Lloyd says.

Extended exposures

Keanini

Keanini

So is this urgency warranted? Absolutely yes.

That’s because it’s not just web servers that are vulnerable, as widely reported this past week. Lancope’s Keanini points out that OpenSSL is also widely used to secure other types of network communication, which may or may not use a traditional browser.

This past week VMware and Cisco led a parade of device manufacturers releasing security patches to address Heartbleed in their devices. “Flaws in cryptographic libraries are much more wide spread than flaws in applications because these cryptographic libraries see so much re-use,” Keanini says

If security managers need any more motivation to move quickly consider that organized cybercrime and cyber espionage operatives are almost certainly pouring manpower and resources into finding and exploiting Heartbleed holes wherever they can flush them out.

“The bad guys had a head start,” Keanini says. “I’ve gotten reports of users credential stolen and their customers and friends getting emails claiming that they were stuck in the Philippines and they needed to send money.”

Keanini predicts that bad guys in the vanguard will turn next to source code repositories, such as sourceforge and github, to find applications that leverage the vulnerable OpenSSL library and then begin to target those applications.

The bad guys see the hidden value in “any application that needs to speak over the network and protects itself with SSL/TLS via the OpenSSL library,” Keanini says.

High risk web servers

F5 Networks security architecture marketing director Preston Hogue says the severity of Heartbleed is “breathtaking.”

Hogue

Hogue

In one attack scenario, a simple message send to a vulnerable website can cause the site to keep replaying consecutive portions of its own memory back to the attacker. “The contents of that memory can include extremely high-value collateral such as SSL private keys and passwords,” Hogue says. “There is an irony in that this is in the security code that is supposed to be providing protection in the first place.”

Web servers that are at “high” risk include LAMP and Web 2.O properties which typically make high use of OpenSSL libraries, according to F5.

A typical LAMP cloud site uses a combination of Apache, MySQL, and PhP. “Given that cloud adoption is a relatively recent phenomenon that overlaps with the introduction of the Heartbleed vulnerability two years ago, these cloud LAMP sites incur the highest risk,” Hogue says.

The web servers used by eCommerce and so-called SLED web sites are at “medium” risk, while financial and defense websites are at “lower” risk, according to F5.

The finance and defense sectors are less reliant on open source solutions and are much more conservative. “They’re much more conservative about upgrading to new versions of software so many of them were never running software that was vulnerable in the first place because it was older than Nov 2011,” Hogue says.

While large organizations can redirect resources to deal with Heartbleed, smaller companies have just as much at risk and share the need to make themselves less of a target.

Five steps

F5 recommends a five-step approach for companies running on-premise hardware using OpenSSL libraries:

1. Take your systems offline.
2. Patch all your vulnerable systems (see the CVE)
3. Get new keys and certificates for any device that was hosting SSL and was exposed
4. Deploy them.
5. Change significant passwords.

Lancope’s Keanini recommends going deeper. He advises making a list of all supply-side vendors and all demand-side consumers, then alerting them to potential Heartbleed exposures. “This is the boundary of the problem. You will want to make sure they are all aware of the problem,” Keanini says. “It is a pain but you should wholesale change all your passwords both personal and in business for good measure. “

For organizations using hosted third party services for web presence, if you haven’t received some kind of advisory from your provider you need to contact them and find out what they’re doing to mitigate Heartbleed exposures. If you are not satisfied, think about switching providers.