Since the disclosure of the CVE-2014-0160 “Heartbleed” vulnerability, the industry has been abuzz with the traditional kneejerk responses that often plague most security teams, and justifiably so; many security practitioners are kissing their weekend goodbye, because this bug is big.
The vulnerability has most notably affected the core security of many Web 2.0 consumer services (Pinterest, Instagram, etc.) including our mobile devices (which could be interfacing with vulnerable services), leaving our credentials and content available to prying eyes. But consider the impact to many other everyday services that the layperson may be less familiar with such as IMAP, POP3, SMTP and XMPP. Ouch. This vulnerability maintains such a broad surface area across the Internet and mobile computing that it effectively strikes at the Achilles heel of how we authenticate and maintain confidentiality during our usage of these critical services.
Heartbleed even extends itself into a much more broader, and strategic supply chain security issue. In recent days, we have learned that even hardware solutions are likely affected, which will prove to be a costly resolution for both vendors and customers in terms of resources. When we consider the potential scale of this, we have to acknowledge everything from legacy solutions to “The Internet of Things” may be left vulnerable for some time.
Since the bug was introduced in December of 2011, with OpenSSL 1.0.1 embedded systems across industries have likely shipped with the bug. From routers, to home security systems, printers, but also SCADA devices or FDA regulated medical devices that contain firmware with vulnerable versions of OpenSSL, that cannot be readily updated without a time consuming testing and approval process. The options are really endless to the scope of what could be significantly affected.
Heartbleed is indeed a serious gamechanger for the security industry, as the secure certificates and encryption we have all grown to trust and rely on are now not as secure as we once thought.
So What Next?
Changing your password now on sites that have announced they have been patched is a good start to protecting yourself against Heartbleed, as is checking to see what sites are still vulnerable. If a site has not been patched yet, the best thing you can do is to not login until you know the site is secure.
Since many affected services have yet to be patched, users should hold off and wait for their service provider to send the “all clear” sign, as changing your password before the site is fixed, you may be opening yourself to the careful eye of a remote attacker.
Since this is security, and we're all paranoid (kidding), we would be remiss if we didn't also remind you to watch out for password reset phishing emails.
What We Are Doing:
We sent the following message to our customers earlier today.
Please know that ThreatConnect and your data are NOT impacted by the CVE-2014-0160 "Heartbleed" vulnerability. All of our private and public cloud deployments of ThreatConnect do not currently, nor have they ever used OpenSSL.
We value you and your privacy and we take security of your data very seriously.
We have been following the Heartbleed situation all week and will continue to monitor it. For your convenience, we are sharing signatures and other relevant Heartbleed updates within the ThreatConnect Common Community. Please follow the latest updates under the Heartbleed tag within ThreatConnect. Please share any data that you find relevant to Heartbleed with your ThreatConnect community. You can also follow our blog for additional updates and commentary.
As an added security feature, you may want to consider using ThreatConnect’s IP Filter or Google 2-Step Verification Authenticator features. Individual users can access these features within User Settings; Organization administrators can access the IP filter within Org Settings and Google 2-Step Verification within User Settings.
- The IP Filter can be customized to only authorize user authentications from trusted networks and IP addresses that you specify.
- The Google 2-Step Verification Authenticator allows you to use your mobile phone to generate a one-time password.
Stay tuned for more Heartbleed news...we have a feeling the fallout effects will be felt long after this week. The story continues to unfold with exactly how long people have known about Heartbleed, and what the impact will be.