There is a serious bug out there that can compromise your data and you probably wouldn’t know it.
The Bleeding Heart Bug
The Heartbleed bug (CVE-2014-0160) was publicly disclosed on Monday and affects specific versions of the OpenSSL application. OpenSSL is a generally used open-source implementation of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) Cryptographic method and is used on about 66% of all public websites. The bug has been present in the software since December 2011.
The bug is not a weakness in SSL/TLS itself, but rather is bug in OpenSSL implementation of it that can potentially allow attackers to access the unencrypted data stored within a server’s memory. With enough data, an attacker can find out your server encryptions keys, your passwords and any other information passed over the communication. The attackers can then use the compromised keys to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Who are vulnerable?
Because of the widespread adoption of the OpenSSL software and the ability to be attacked without leaving a trace, it means that we are all vulnerable because you can’t tell if your data has been compromised.
Not only websites are vulnerable, as many hardware and software vendors implement use OpenSSL in their products. Cisco and Juniper has listed advisories warning of the bug in their products.
What should you do?
All businesses, website owners and users of affected services should take action on this bug.
Step 1: Determine if any of your servers may be affected.
You can use the check script on Filippo Valsorda’s web site to check your public services.
Check with vendors if any of your internal services may be affected.
Website owners with their sites on hosted services should check with their service provider if they have taken action on the bug and if they were ever vulnerable.
Step 2: Patch services for which you are able to patch yourself.
These include any owned servers or virtual servers that you use, or internal, private servers or devices.
Step 3: Re-Key your SSL Certificates
This involves regenerating and reinstalling the private keys on your servers. While the risk may be small, the fact that you will not know if your key was compromised, this is a recommended precautionary step.
Step 4: Change your passwords
It’s important that you change any passwords that you may have on any of the affected systems AFTER you have patched OpenSSL and re-keyed your certificates. Doing so before you performed the prior steps means that if your keys were compromised, an attacked would be able to discover your new passwords.
If you are a service user and don’t run any services yourself, find out from the provider if they were vulnerable and if they patched their services (or use the check script in Step 1).
Don’t Panic
While the bug is serious, it’s important to not panic. Keep a clear head and follow the steps.
For more information about the bug and to keep updated check out heartbleed.com.