What the Hell is Heartbleed , Anyway?
What is Heartbleed?
Heartbleed is a flaw discovered in OpenSSL recently. OpenSSL is the open-source encryption standard used by the majority of sites on the web that need to transmit data users want to keep secure.
Encryption works by making data being sent looks like garbage to anyone but the intended recipient. Occasionally, one computer might want to check that there’s still a computer at the end of its secure connection, so it will send out what’s known as a “heartbeat,” a small packet of data that asks for a response.
Due to a programming error in the implementation of OpenSSL, researchers found that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end of a connection into sending over data stored in its memory.
The flaw was first reported to the team behind OpenSSL by Google Security researcher Neel Mehta, and independently found by security firm Codenomicon. According to the researchers who discovered the flaw, the code has been in OpenSSL for approximately two years, and utilizing it doesn’t leave a trace.
Am I at risk?
While it’s true that not every service has been affected by Heartbleed, it’s still better to be safe than sorry. While you can’t know for sure whether your own data has been compromised, there are a couple of services out there that can help you check whether you’re affected by Heartbleed.
If I am affected what should I do?
If from the checks, you’ve found that you have an account on a site that could be compromised by Heartbleed, you have to decide on a course of action. The common wisdom is to immediately change your password, but this advice ignores one crucial fact: there’s no point changing passwords if the site hasn’t been fixed.
Heartbleed, as discussed earlier, isn’t a simple database leak, so simply changing your passwords won’t help if the problem hasn’t been fixed by the site. Some websites and services, such as Google, will have made this clear, but there will definitely be websites that don’t explicitly state whether they’ve rectified the issue on their end.
What you can do now is to use either of the tool listed above, or check the site to at the GitHub or Mashable lists to see if the service is still vulnerable.
Note that the tool and the GitHub or Masahable list don’t differentiate between services that were never vulnerable and services that have been fixed. It’s probably safer that you change your passwords if the site reports as not vulnerable.
Given the widespread and impact of this vulnerability, from a technical mitigation perspective, check that your security provider or security team does the following.
• Apply the patch
• Generate a new certificate and a new key (failure to do this and patch means attackers may still be able to intercept and man in the middle customers private content)
• Revoke the old certificate and key (important, many are forgetting this)
• Restart the service (many also forgetting this leaving the old secrets or version loaded)
• Validate you are no longer vulnerable with the numerous test sites such as the ones shared above.
• Check all your servers and services, not just the most obvious candidates. Backup servers, hot stand by and others may still be vulnerable. Change your passwords (if the sites has already been patched)
• Changing your passwords
• Implement 2 factor authentication to strengthen your password policies
• Perform targeted vulnerability assessment on all your critical assets