By: Kelly Jackson Higgins, April 10, 2014
What's next now that the mindset is 'assume the worst has already occurred?'
The fallout from the Heartbleed bug likely will be felt for a long time, but the immediate and urgent questions top of mind are which sites and products are affected, and which have been fixed. Then what? The scary reality is that even after a site or product is patched and users have changed their passwords, Heartbleed will not be over.
It is impossible to discern whether nation-states or well-funded cyber-criminals had already known and exploited the flaw for the past two years it's been in circulation in OpenSSL. This bug has also a long tail that spreads to internal networks, applications, and some mobile devices. Digital certificates have been exposed, and what was once a reliable and secure connection, SSL, has been compromised.
"OpenSSL is more than websites: it's server communications, products shipped with black boxes... those are going to take a while to update. Heartbleed is going to have a long-term affect and the industry is going to have to work pretty hard to fix it," says Barrett Lyon, founder & CTO of Defense.Net, a DDoS mitigation firm. "People are getting very diligent and updating things very quickly... But there are always going to be stragglers."
Dan Kaminsky, the security expert who discovered and coordinated the patching of the DNS caching flaw in 2008, says the Heartbleed disclosure represents a whole different ballgame. Kaminsky, who is co-founder and chief scientist at White Ops, says it's traditionally been the case where a bug is found, and the message is now go and fix it.
"In the case of Heartbleed, the presumption is that it's already too late, that all information that could be extracted, has been extracted, and that pretty much everyone needs to execute emergency remediation procedures," Kaminsky said today in a blog post. "It's a significant change, to assume the worst has already occurred."
Adam Vincent, CEO of Cyber Squared, says Heartbleed is a "security-changing event" with far-reaching repercussions. First, cyber-espionage actors are able to decrypt any encrypted information siphoned via this flaw. "They can find and retrieve the private key of a server that encrypted the traffic to begin with. If they have one to ten years' worth of traffic and were using that same private key, then they have encrypted content and have the private key to decrypt it," Vincent says.
Sophisticated and well-heeled cyber-criminals could target corporations or government agencies by using Heartbleed to gain a foothold into a vulnerable, internal server, Vincent notes. They can write a program that collects information from that server. Bad actors likely already are at work exploiting this: "I wouldn't be surprised if some sophisticated organization started pointing a sensor at vulnerable websites while [the site operators] were hustling to get them protected -- capturing as much information as they can on a large scale," he says. "The question is, how long have the bad guys known about [Heartbleed]?"
What to do now
The list of affected sites is a moving target, but several major sites have revealed their statuses. Amazon.com, Twitter.com, HootSuite, and LinkedIn were not affected by the flaw, but Pinterest, Tumblr, and Yahoo are. Mashable has a checklist of the status of major sites here.
Google says it has patched Google Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine prior to the Heartbleed announcement on Monday. Google Chrome and Chrome OS, and the newest Android versions are immune. Android 4.1.1 is affected by the bug, according to Google, and its partners are receiving patch information.
Google Cloud SQL, Compute Engine, and Search Appliance are in the process of getting patched, according to Google. Facebook, meanwhile, patched prior to the Heartbleed disclosure. "We haven't detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites," a Facebook spokesperson said.
Amazon Web Services was affected and has been updated.
Several networking vendors have released updates for products using the doomed OpenSSL version, including Cisco Systems, Juniper Networks, and F5 Networks. Software vendors RedHat, Sophos, and VMware have affected products. A full list and links to vendor updates is available from Carnegie Mellon CERT.
In an analysis of cloud providers susceptible to Heartbleed, Skyhigh found that 368 cloud providers -- including top backup, human resources, security, collaboration, ERM, and storage providers -- had not updated their software 24 hours after the Heartbleed patch was issued.
Meanwhile, experts say, keep calm. Be aware that spammers already are using Heartbleed as a lure for spam and phishing emails about changing passwords, and don't rush to change passwords until the Heartbleed-affected site, service, or vendor, has confirmed that it has patched for the OpenSSL flaw and has a new digital certificate.
There's now a free third-party Google Chrome browser extension available called Chromebleed that screens websites for vulnerability to Heartbleed vulnerability.