Heartbleed – Urgent Steps to Take

by | Apr/14/2014

Heartbleed not only affects websites, it also affects equipment that your organization uses including VPNs, Firealls, and Android phones. It affects tools you use like online backup, password managers, and tools such as Dropbox. If you are in a huge hurry, just scroll down to the headings that start out “What to Do…”

For more than 2 years, hackers have known a way to effectively bypass security, and this is just coming to light. Banking websites you’ve visited, your online backup, your passwords, your Android, your firewall, your VPN, and more are potentially exposed. Simply put, this is a VERY BIG DEAL!

The de facto standard for protecting data has just been found to be insecure.

Heartbleed is a zero-day attack (meaning there is no patch) and was undiscovered until now. Vulnerable versions of OpenSSL were released on March 14, 2012. Heartbleed attacks are undetectable. They aren’t even that complicated.

WEBSITE SECURITY WAS AN ILLUSION SINCE MARCH 14, 2012

What’s been “in the news” the most is that attackers can bypass security on some websites including:

• Banking websites
• Credit card shopping carts
• Financial sites
• Medical sites
• Online backup
• Password managers
• Your website – maybe

Mashable.com reports that some of the sites infected include:

• Amazon
• Box
• Dropbox
• GoDaddy
• Google
• LastPass
• Yahoo
• YouTube
• Many others

ANDROID PHONES, VOIP PHONES, FIREWALLS, VPNS:
FALSE SENSE OF SECURITY SINCE MARCH 14, 2012

Heartbleed isn’t just about websites. The routers, wireless access points, firewalls, and other devices inside your network are at risk of being vulnerable. Both Cisco and Juniper announced that they are affected. Cisco is a major leader and, if they are vulnerable, you can bank on the fact that many other vendors in addition to Juniper are too.

What about secure VPNs? Yes, those too may be compromised.

Remember that SSL is everywhere! It is the de facto standard, and every device and program that uses SSL and/or TLS is potentially exposed to Heartbleed.

DANGER – YOU AND YOUR WORKERS MAY MAKE THINGS MUCH WORSE

One of the biggest risks to you: We are already seeing a lot of spam messages encouraging users to “click here to get your patch” or “download this file” which, of course, result in the user’s computer getting infected and/or hacked in ways. People are so worried about Heartbleed that they will be tempted to click on links and download programs themselves. That’s very dangerous. Hackers can impersonate legitimate looking websites. Please let your IT Pros be the ones to apply the fixes.

WHY HEARTBLEED IS EXTREMELY DIFFICULT FOR YOUR IT PROS TO FIX

• DELAYS: IT Pros face the “hurry up and wait” scenario. Now that Heartbleed has been discovered (after 2 years of insecurity), your IT Pros have to wait until manufacturers release “repair” patches. That could be months. With the enormous news coverage, even “hackers who did not know” about how to use Heartbleed do now. All indications suggest that the number of attacks will grow like a chain reaction.

• BUY NEW EQUIPMENT: If you have “other than the newest model of hardware or program version,” manufacturers may never get around to releasing a patch for those. That means you may need to upgrade your organization’s hardware and even your software!

• INCOMPLETE INFORMATION: In some cases, it is difficult for IT Pros to even tell if OpenSSL is used in the device and/or application until the manufacturer makes a statement to that affect. Some manufacturers might never release clear statements – they want to protect their brand image.

• ONE DEVICE AT A TIME: Especially with hardware devices like firewalls, switches and VPN appliances, your IT Pro will have to patch each device, one at a time, to apply the fixes.

• RESET, WAIT, AND THEN RESET AGAIN: After the patches are applied, all passwords and encryption keys have to be reset (again). Up until the patch is applied, the credentials are potentially “up for grabs.” You’ll want IT to reset passwords right now, and then again after repairs are made.

WHAT TO DO ABOUT YOUR ORGANIZATION’S WEBSITES

This is especially important if people can login at your website or if you store sensitive information on your site. Ask your web application designer to patch OpenSSL, if your site uses OpenSSL (more than half the sites in the world do). Instruct them to “get new keys” for your site – there is a chance and no way to tell if your old keys are already stolen.

WHAT TO DO ABOUT WEBSITES YOUR ORGANIZATION USES

First check the sites. If you want to see if a site is vulnerable, there are several tools created for this purpose:

http://filippo.io/Heartbleed/
http://heartbleed.criticalwatch.com/
https://lastpass.com/heartbleed/
https://www.ssllabs.com/ssltest/

Second: Have everyone in your organization reset their passwords on both:

• All websites that require them to use a password to login, and/or
• All sites that show https:// in the address bar (as opposed to http:// without the s)

Third: Wait until the sites are repaired.

• Websites may have already been compromised, and will remain compromised until those sites fix the problem
• Once the site fixes the problem, all members of your organization will need new passwords again

IF YOU USE ONLINE BACKUP, FILE SHARING, PASSWORD MANAGERS, AND OTHER CLOUD SERVICES

Check with your provider. Box, Dropbox, Google, GoDaddy, and other organizations have already made statements. They have explained to their customers the status of the fixes and provide any special instructions.

WHAT TO DO FOR THOSE WHO USE ANDROID DEVICES

Android v4.1.1 released in 2012 is vulnerable so, if your Android runs “Jelly Bean” you better check the version. That affects millions of Android phones. If you are out of date, have the phone updated or get a new phone if that one can’t be patched.

WHAT TO DO FOR VPNS, FIREWALLS, WI-FI EQUIPMENT, ROUTERS, ETC.

Your IT Professionals need to look up each model and manufacturer to get the latest updates – often called “firmware patches.”

Cisco and Juniper have already made announcements indicating that they are vulnerable and are working on patches. Not only do companies have to write patches, they have to test them extensively. That way, when your IT Pro installs the patch, there is less likelihood that the patch will cause a problem.

For vendors who are not going to release a fix for your older model devices, buy new devices and patch them before connecting them to your network.

Your IT Professionals may need to go visit each device individually in order to fix them.

WHAT TO DO ABOUT SENSITIVE INFORMATION THAT YOUR CUSTOMERS ENTRUST TO YOU

Your secure databases may be exposed – even the databases on your own servers. Remember that the scope includes all data that you encrypt inside your organization, the components on your network, and your web services including your website. And they have likely been vulnerable for more than 2 years. Encrypted email, data in the cloud – anything that is encrypted is potentially vulnerable if built using OpenSSL.

Check with your legal counsel and they may want you to post on your website and send out email messages explaining your current status, what you are going to be doing to repair the problem, and what they expect in the future.

You may decide that, the sooner you address this issue and make a statement, the more credibility your organization will have in the eyes of your customers. Or, you may feel that your reputation would be damaged irreparably.

HOW WILL HEARTBLEED AFFECT THE GLOBAL ECONOMY?

How will Heartbleed affect the world economy? What if attackers have been silently gathering information from banking and other financial sites for more than two years? Your private information? What about the government encryption technology – how much of it was affected? From Corporate America through Mom and Pop businesses, everyone can be affected. And, they will be indirectly affected by their vendors, service providers, and anyone else with whom they do business. Someone who understands economics better than I will know. Heartbleed could be bad.

Remember the Y2K bug we were all worried about when the year went from 1999 to 2000? Heartbleed is akin to finding out in 2002 about 2000 devastation that happened more than two years before.

And some people believe that Heartbleed is only the beginning – that there will be other massive exposures revealed after months or years of successful exploitation.

SHARE THIS INFORMATION

Forward this article to your IT Pros and be aware of this newly discovered disastrous vulnerability. Tell your employee to “let the professionals handle this.”

Heartbleed exploits are undetectable, and previously unknown to organizations that, and people who, thought their data was secure.

Please post your comments below…