Over the past week, the heartbleed bug has driven many to examine their web sites for potential data and encryption key exposure. It’s by far the most serious internet security vulnerability to date.
Explaining what the bug is, and how it works would take longer than we have here, but Vox.com has a great rundown for those interested in learning the details. In short, heartbleed exploits the otherwise secure communications between client and server: When you log on to a website, your computer occasionally requests a “heartbeat” from the site’s computer you’re accessing to ensure it’s still there and working – kind of like how you know you’re still on hold and not disconnected when you hear muzak playing over your phone. But for computers, that heartbeat comes back in the form a “magic word,” with a specified length. Your computer might ask a server to send back the 3-letter word “dog” for example to confirm the server is still working on a particular request. But what happens if your computer asks the server for the magic word “dog,” but tells it “dog” is 10 letters instead of 3? Computers only do exactly what you tell them – and that’s where the trouble starts.
It turns out that if the most commonly used SSL security software on the internet – OpenSSL – were to ask a server for the magic word “dog,” but say that word is 64 letters instead of three, the server would send back not only the word, but data from its memory to fill in the extra space. That data might include anything from bank balances and account information, to usernames and passwords. As of a week ago, all a hacker had to do was gain access to your public IP address, and through OpenSSL gain access to a wealth of your data.
You can understand why the issue caused such a panic, but truth be told: the heartbleed bug might actually be a great learning experience for internet security professionals. Here’s why:
- We’ve been forced to review our security protocols. In the last week, concerned companies have had to deep-clean with their partners, vendors, and service provides to ensure there would be no problem for our customers. The bug gave us a good reason to touch base and reconfirm our commitment to our clients.
- It was a great test of vulnerability management and incident response. Prepare all you want, but you never know exactly how the market will respond in a crisis. Heartbleed challenged our ability to react in the face of a widespread crisis. We know now, for certain, that the strategies we have in place to defend against a large data breach are effective, and we can work together to bring those issues under control.
- Unknown security weaknesses were brought to bear. It’s great to know an effective system and network is in place to handle crises like heartbleed. But it’s even better knowing now, in a concrete, real-world way, how we can improve on that system in the next several months. “What doesn’t kill you makes you stronger” has never been a more apt proverb for data security in the bug’s wake.
New discussions are taking place to make networks even more secure. The perception that open source software is secure “because other people look at it” no longer holds true. Heartbleed revealed a gap in our thinking: The reality is that open source projects are often low-funded, and open to vulnerabilities. We know now how big of a problem that really is.
If you haven’t already, talk to your leadership about the bug, and make sure you’ve done all you can to protect yourself, your company, and your customers. Know your inventory, and what software is installed on your systems. Establish rules for what is allowed and not allowed on your network. Consider enabling certificate revocation checks in your browser. Purchase scanning tools, and train staff on how to use them properly. Sign up for security alerts from vendors. What other items would you add to the list?
If those items seem familiar, it’s because they’re not only important to protect against heartbleed – They’re common-sense internet security tools that you should have in place regardless of threat.
The information contained in this publication is provided solely for educational purposes. Ontario Systems LLC, nor the author, offer any legal or other professional advice. Every effort has been made to make this content as accurate as possible at the time of publication. However, there may be typographical and/or content errors. Therefore, this publication should serve only as a general guide and not as the ultimate source of subject information.
© 2014 Ontario Systems, LLC. All rights reserved. Information contained in this document is subject to change. Reproduction of this publication is not permitted without the express permission of Ontario Systems, LLC.