The recently discovered Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library that allows cybercriminals to steal information that would normally be protected by the SSL/TLS encryption used to secure the Internet. But just how serious is this and is there anything you can do to stay safe?
Here’s what the experts have to say…
Tony Caine, VP and general manager, APJ & EMEA, HP Enterprise Security Products:
"The ‘heartbleed bug’ seems to exploit a tiny error, overlooked in the original coding. This shows just how important it is for due process and care to be taken in the development stages of new software. It also once again demonstrates that traditional perimeter security is dead and that security breaches are inevitable – organisations need to realise this and allocate resource to finding and containing threats once they have gained access to the system.
"In 2013 on average threats went undiscovered for 243 days – a huge amount of time. In research we commissioned we found that on average companies which invested in detecting and containing attacks saved about $4m per year in potential costs as a result of cyber crime. Additionally, it’s essential to stress the importance of organisations regularly patching software in order to mitigate threats and encourage users to do so as soon as possible."
Joe Abbey, director of Software Engineering at Arxan Technologies
Content from our partners
"Unlike the Target incident, which required malware on end-point devices (POS terminals), this exploit allows scanning of server memory from any end-user machine on the Internet without the requirement to get any malware on to the computer. Also, in the Target incident the software exploited was an obscure POS application, whereas this exploit is in code that is open source and has been reviewed by literally thousands of expert eyes for years (showing that a severe exploit can exist right in plain sight).
"It basically changes everything about what must be considered as viable attack surfaces for server side exploits. Enterprise scanner side capabilities are out there. Layered security is essential and it needs to extend into other layers so that the defense is being distributed and deployed via the complete stack. You must protect your data and keys and embed security mechanisms directly into server software."
Roland Dobbins, senior analyst at Arbor Networks Security Engineering & Response Team (ASERT)
"This is an extremely serious situation, which highlights the manual nature of the tasks required to secure critical Internet services such as basic encryption and privacy protection.
"There are no automated safeguards that can ameliorate these issues. And what most people don’t realise is that if attackers captured packets in the past from vulnerable systems and retained those captured packets, they’ve the opportunity now to use analysis tools to replay those packets and decrypt the Internet traffic contained in those packets.
"In terms of remediation, there’s a huge amount of work which must be done, not only for servers, but for load-balancers, reverse proxies, VPN concentrators, various types of embedded devices, etc. Applications which were statically compiled against vulnerable versions of the underlying OpenSSL libraries must be re-complied; private keys must be invalidated, re-generated, and re-issued; certificates must be invalidated, re-generated, and re-issued – and there are a whole host of problems and operational challenges associated with these vital procedures.
"A key lesson here is that OpenSSL, which is a vital component of the confidentiality and integrity of uncounted systems and applications and sites across the Internet, is an underfunded, volunteer-run project which is desperately in need of major sponsorship and attendant allocation of resources.
"And serious questions have been raised regarding the notification process surrounding this vulnerability. The operational community at large have voiced serious disapproval surrounding the early notification of a single content delivery network (CDN) provider, while operating system vendors and distribution providers, not to mention the governmental and financial sectors, were left in the dark and discovered this issue only after it was publicly disclosed via a marketing-related weblog post by the CDN vendor in question. It has been suggested that the responsible disclosure best practices developed and adopted by the industry over the last decade were in fact bypassed in this case, and concerns have been voiced regarding the propriety and integrity of the disclosure process in this instance."
Geoff Webb, senior director of solution strategy at NetIQ
"This is yet another situation where it is coming to light that the basic, foundational elements of the Internet we thought were secure – and are required to keep our content and communications safe – are fundamentally vulnerable.
"First it was encryption. Now it is OpenSSL, which affects secure communications over the Internet. The larger challenge we now face is that we are about to build an enormous edifice on this foundation – the Internet of Things – and it appears that we are about to build on a very sandy foundation."
Mark Bower, VP of Product Management and Systems Architecture at Voltage Security
"While Heartbleed presents clear and present risk of exploit and active attack to systems to steal data, the big danger is to systems that have been relying on secure communications for things like key and credential exchange since the first affected version of OpenSSL was deployed. So, affected entities need, in particular, to consider the external use of affected versions of OpenSSL in use, and establish what might has been transported and has been potentially at risk in past SSL sessions with client systems or other servers. That itself might be very difficult, and require consideration for changing transported credentials, certificates or monitoring other sensitive data exposed which could lead to secondary compromises, theft, or further malware infestation.
"Security vulnerabilities will always exist, and provide the ideal beachhead for attackers to establish the data-stealing malware infantry front line. In this case, Heartbleed’s significant data theft risk also emphasises the need to take a different approach to data protection above and beyond SSL – for example, encrypting the data well before it enters and exits the SSL tunnel so that even if the transport is compromised, the data itself has no value to an attacker. This ‘data-centric’, or end-to-end protection model can reduce the need for SSL in the first place in some cases, and also protect data well beyond where SSL starts and stops. And for cases where SSL plays a critical and essential role, use transport mechanisms that are unaffected or patched against this particular risk as soon as possible."
Mark Schloesser, security researcher at Rapid7
The "Heartbleed" SSL vulnerability affects widely deployed versions of the OpenSSL library which is used in the majority of software, including web-, email-, database- and chat-servers. It allows the attacker to read a portion of memory from the remote system without the need for any known credentials or other authentication forms.
"The leaked memory areas might contain a lot of different contents ranging from leftover data from previous communication over log messages up to private key material employed by the service / daemon. For this reason, there are lots of possible attack scenarios that can result from the vulnerability. An attacker who gains access to the private key of the server certificate can subsequently mount man-in-the-middle attacks against clients and impersonate the server/service. Log messages might also contain credentials or affect the privacy of communications by other clients.
"Looking only at web servers it seems that OpenSSL 0.9.8 and 1.0.0 are still the most popular versions, which are not affected. However we count at least a few hundred thousand servers using affected library versions so that it poses a significant threat. As the same problem affects other protocols / services such as mail servers and databases, we assume that overall we’re looking at millions of vulnerable systems connected to the public Internet.
"It is essential that all affected systems get updated immediately. Also, to mitigate attacks resulting from any potentially leaked keying material, any SSL keys from affected systems should be replaced and revoked. Depending on the service / protocol, one needs to think about other potentially leaked data and take appropriate action.
