Independent Security Evaluators Offers Heartbleed Suggestions
By Bryan Ellenburg
Undetected for two years, Heartbleed is estimated to affect a full two-thirds of Web servers on the Internet, compromising everything from passwords to credit card numbers.
The Content Delivery & Security Association (CDSA) asked Stephen Bono, owner of technology vulnerability testing company Independent Security Evaluators (ISE), and ISE executive partner Ted Harrington, about the severity of Heartbleed, and what steps businesses need to take to protect themselves going forward.
CDSA: What did ISE advise its customers regarding Heartbleed?
ISE: While testing is important, we also want customers to understand the full ramifications and also where to look. It’s not always obvious. While most everyone heard about Heartbleed, recognizing where to find it was not as common.
1. It’s not just Web applications that are vulnerable. Any service using SSL and specifically OpenSSL of the versions mentioned in our advisory is potentially vulnerable. This could be email servers, file transfer services, messenger applications, etc. The most common applications are Web applications, for sure, but admins need to be looking at all services, not just Web.
2. Not all test sites detect Heartbleed. Many of our customers use custom protocols built on top of SSL, but due to incompatibility with test sites that are designed specifically for Web applications, the vulnerability is not always detected. Still, a custom attack could exploit it. We’ve created custom Heartbleed detection tools for a number of our customers.
3. When recovering from this issue, don’t just create new certificates, you also have to revoke the old certificates. While your patched site may now be secure, if the old key was compromised and there is still a valid certificate matching with it, a false site could be created that browsers still detect as legitimate. Victims should also revoke their potentially compromised keys to avoid this.
CDSA: What steps can businesses and individuals take to determine whether or not they’ve been affected, and to prevent vulnerability?
ISE: Here is a short list of all generic recommended steps, but on a case-by-case basis, victims should assess the severity of this issue and determine what else may need to be done.
If you’re a vendor:
1. Patch OpenSSL.
2. Revoke all compromised and even potentially compromised certificates.
3. Generate, get signed, and install new certificates.
4. Notify customers that their credentials are “potentially” compromised, and should change passwords as a precaution. Also change them on other systems if they were used in multiple places.
5. If there is other sensitive data that can be changed similar to passwords, such as secret question answers, pins, credit card numberss, etc., those should be updated as well.
6. Provide information to users in the form of a notification or FAQ.
If you’re a user:
1. Just change all your passwords now. It’s better safe than sorry.
2. Your vendor probably has a FAQ at this point. Seek it out and follow their specific recommended instructions.
You can use our online or downloadable tool here. There are also many others out there at this point.
CDSA: Just how severe is Heartbleed in scale and scope? Has ISE seen anything comparable?
ISE: Some are saying that this is the worst disaster in the history of the Internet. I’m not sure I would go that far, but this is certainly a very big deal, as it affects a large percentage of services on the Internet, is easy to exploit, and shown to reveal very sensitive information.
I’m not an expert on estimating the global damage, but it seems to me that since this vulnerability does not grind business to a halt, it is not as bad as some other worms and viruses that have done a lot of damage in the past. Most of the vulnerable systems were not and probably have not been exploited, and the massive response is precautionary. That precautionary response is still very expensive to companies though, as we’ve seen since Heartbleed was reveled.
For ISE’s official advisory page on the Heartbleed bug, go here.