A week of Heartbleed

Posted by   Virus Bulletin on   Apr 14, 2014

OpenSSL vulnerability has kept the security community busy.

The 'Heartbleed' vulnerability has kept everyone on their toes over the last week or so - hitting the mainstream media, prompting widespread warnings for users to change their passwords, and causing many admins to review the security of their web servers.

Bruce Schneier, who is not known for over-hyping threats, described the severity of the Heartbleed vulnerability as 11 on a scale of 0 to 10. Whatever you think of his use of language, few experts would disagree that Heartbleed was particularly bad.

Since we blogged about it last week, many other good posts and articles have appeared. We thought it worth collating some of the better ones.

The Holy grail

CloudFlare's Nick Sullivan (who will speak at VB2014) was among many experts who were sceptical about the possibility of Heartbleed being used to obtain the holy grail: a server's private SSL signing keys. His company set up a vulnerable server and challenged the community to remotely read its private keys from memory. Much to their surprise, several people found the key. One researcher shared his method.

The only right thing to do if you are running a vulnerable (web) server is thus to revoke its SSL certificates. Unfortunately, some web browsers will happily let a user access the site, even when its certificate has been revoked. For some, however, this might be too late anyway: CBC reports that the Canada Revenue Agency has had social insurance numbers of 900 citizens stolen through a successful Heartbleed exploit.

Lack of funding

The fact that anyone can look at OpenSSL's code (because it's open source), yet barely anyone did, has not gone unnoticed. John Levine writes that too many large organisations are using OpenSSL because it's free and aren't paying for code audits, while Dan Kaminsky laments that OpenSSL wasn't treated as the critical infrastructure it had become. Steve Marquess, who calls himself the "money guy" at OpenSSL, also says that the project needs a lot more funding to be able to do its job properly.

Known to the NSA?

Of course, the fact that the vulnerability wasn't publicly disclosed until recently doesn't mean that no one had found it. The vulnerability was introduced in March 2012 and Bloomberg cites two anonymous sources who claim the NSA knew about it all the time and had used it regularly to gather critical intelligence - something the NSA subsequently denied.

Server security

A silver lining to Heartbleed might be that it will prompt many organisations to improve the security of their servers. F-Secure's Jarno Niemela suggests you review your config standards, while Sophos's Paul Ducklin looks at whether two-factor authentication would have helped.

Client security

Heartbleed isn't just a server-side problem though. Clients that run OpenSSL are also vulnerable if they connect to malicious servers, a point made by Rob VandenBrink of the SANS Internet Storm Center, who also lists some applications that use the OpenSSL library.

If you can't laugh...

Finally, no threat is too serious to make jokes about. Xkcd dedicated two comics to the subject, while Graham Cluley posted a new variant of an old joke.

Posted on 14 April 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.

Avast to present technical details of CCleaner hack at VB2017

The recently discovered malicious CCleaner version has become one of the biggest security stories of 2017. Two researchers from Avast, the company that had recently acquired CCleaner developer Piriform, will share the results of their investigations…

VB2017 preview: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We preview the VB2017 paper by Kaspersky Lab researchers Juan Andrés Guerrero-Saade and Costin Raiu on fourth-party collection and its implications for attack attribution.