April 14, 2014
Heartbleed - What you need to know
Written by
David Kennedy
Penetration Testing
Security Testing & Analysis
Heartbleed hit the media, twitterverse, and everywhere else the day of its release. There was a lot of initial confusion on what was impacted and what it really meant. Now that the dust has settled just slightly, here's your ultimate guide to Heartbleed and what it means to you. It was also proven that the private key for SSL encryption could be extracted via a CloudFlare challenge (http://www.pcworld.com/article/2143080/tests-confirm-heartbleed-bug-can-expose-servers-private-key.html).
TrustedSec has compiled a list of useful sites and additional areas around the Internet on affected vendors as well as websites.
What is Heartbleed
Heartbleed is an exposure that was initially introduced on April 19, 2012 by a programmer (specifically version 1.0.1) for OpenSSL. When visiting websites, OpenSSL is a widely used implementation for ensuring encryption around SSL based communications. A built-in feature called heartbeat is used and is where the initial exposure was introduced. A hacker is able to send requests to a server and request more information than is normal. The hacker can read pieces of memory beyond what is suppose to be allowed. This allows successful extraction of sensitive pieces of information from memory. What's in these pieces of data? Almost anything. Can contain usernames/passwords, session cookies, private keys, and more.
Is it a big deal?
Absolutely. Heartbleed is probably one of the largest vulnerabilities that we have seen in a number of years based on its criticality and how many servers are impacted by it (estimated 66% of the Internet).
It's not just websites
Heartbleed didn't just affect a website to where you throw a quick patch up and its fixed. There's the potential for passwords to be extracted as well as other pieces of sensitive information (such as the SSL private key).
For a good list of websites that were impacted, visit Heartbleed website list from CNET.
You should change your passwords.
Popular websites such as Facebook were impacted as well, you should change your passwords. Although there are no indications that passwords were extracted, the detection on this attack was literally non-existent.
Companies
Companies impacted by this should do three major things:
1. Obviously first is the patch.
2. Change your SSL certificates, revoke the old one and replace it with a newly issued one (i.e. regenerate your private key).
3. Change passwords on your systems.
Am I affected?
In order to check if a website is impacted by Heartbleed, visit https://filippo.io/Heartbleed/.
Be careful from scammers
Scammers will use the popularity of Heartbleed to target you. Beware of any company that states you need to change your password in an email. Verify the link and go directly from the site versus opening an email and clicking the link. TrustedSec has seen a number of customers already targeted by the Heartbleed popularity in targeted phishing and social-engineering campaigns.
Mobile phones are impacted as well
To a lesser extent, Android devices also appear vulnerable to the OpenSSL implementation. While not every Android device is acting as a web server, there are still ramifications here.
Additional linkshttp://www.cnet.com/news/akamai-heartbleed-patch-not-a-fix-after-all/http://www.foxbusiness.com/personal-finance/2014/04/14/heartbleed-why-changing-your-passwords-isnt-enough/http://www.theverge.com/us-world/2014/4/11/5606524/hacker-successfully-uses-heartbleed-to-retrieve-private-security-keys
TrustedSec has compiled a list of useful sites and additional areas around the Internet on affected vendors as well as websites.
What is Heartbleed
Heartbleed is an exposure that was initially introduced on April 19, 2012 by a programmer (specifically version 1.0.1) for OpenSSL. When visiting websites, OpenSSL is a widely used implementation for ensuring encryption around SSL based communications. A built-in feature called heartbeat is used and is where the initial exposure was introduced. A hacker is able to send requests to a server and request more information than is normal. The hacker can read pieces of memory beyond what is suppose to be allowed. This allows successful extraction of sensitive pieces of information from memory. What's in these pieces of data? Almost anything. Can contain usernames/passwords, session cookies, private keys, and more.
Is it a big deal?
Absolutely. Heartbleed is probably one of the largest vulnerabilities that we have seen in a number of years based on its criticality and how many servers are impacted by it (estimated 66% of the Internet).
It's not just websites
Heartbleed didn't just affect a website to where you throw a quick patch up and its fixed. There's the potential for passwords to be extracted as well as other pieces of sensitive information (such as the SSL private key).
For a good list of websites that were impacted, visit Heartbleed website list from CNET.
You should change your passwords.
Popular websites such as Facebook were impacted as well, you should change your passwords. Although there are no indications that passwords were extracted, the detection on this attack was literally non-existent.
Companies
Companies impacted by this should do three major things:
1. Obviously first is the patch.
2. Change your SSL certificates, revoke the old one and replace it with a newly issued one (i.e. regenerate your private key).
3. Change passwords on your systems.
Am I affected?
In order to check if a website is impacted by Heartbleed, visit https://filippo.io/Heartbleed/.
Be careful from scammers
Scammers will use the popularity of Heartbleed to target you. Beware of any company that states you need to change your password in an email. Verify the link and go directly from the site versus opening an email and clicking the link. TrustedSec has seen a number of customers already targeted by the Heartbleed popularity in targeted phishing and social-engineering campaigns.
Mobile phones are impacted as well
To a lesser extent, Android devices also appear vulnerable to the OpenSSL implementation. While not every Android device is acting as a web server, there are still ramifications here.
Additional linkshttp://www.cnet.com/news/akamai-heartbleed-patch-not-a-fix-after-all/http://www.foxbusiness.com/personal-finance/2014/04/14/heartbleed-why-changing-your-passwords-isnt-enough/http://www.theverge.com/us-world/2014/4/11/5606524/hacker-successfully-uses-heartbleed-to-retrieve-private-security-keys