So What Is Heartbleed Really?

It’s all over the news that there is a major security flaw in the Internet exposing practically everyone that has ever used it and transmitted private data over it.

The root cause of the problem is in a security protocol called OpenSSL (Secure Sockets Layer) that facilitates encrypted sessions between a client application (web browser, email etc.) and the host application (web server) securing the data that passes between them. What has been discovered is that a flaw was introduced 2 years ago so that while these sessions are alive and heartbeat packets are exchanged between the host and client, this is the point at which the session is vulnerable to high-jacking by a 3^rd party who can spoof the heartbeat packet and intercept the session. 

Technically Speaking..

The Heartbleed bug write-up mentions Apache and nginx as being the most notable software using OpenSSL, and also points out that these have a combined active site market share of over 66% according to our April 2014 Web Server Survey. The good news is not all of these servers are running an HTTPS service, nor are they all running vulnerable versions of OpenSSL with heartbeats enabled. According to estimates just over 15% of SSL are running the heartbeat extension, accounting for around half a million certificates issued by trusted certificate authorities. These certificates are consequently vulnerable to being spoofed (through private key disclosure), allowing an attacker to impersonate the affected websites without raising any browser warnings.

For those of you on Microsoft platforms only small percentage of IIS web servers also appear to support the TLS heartbeat extension; these are more likely to be vulnerable Linux machines acting as reverse proxy frontends to Windows servers.

Support for heartbeats was added to OpenSSL 1.0.1 (released in 2012) by Robin Seggelmann, who also coauthored theTransport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension RFC. The new code was committed to OpenSSL's git repository just before midnight on new year's eve 2011.

OpenSSL's security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

In all actuality how serious is the risk to me?

Like all security scenarios it really comes down to how big the target is (like in the Target credit card hack). For an end-user that is regularity accessing higher profile sites on the Internet for transactional purposes or Social networking it is of a greater concern as hackers usually target these types of assets due to the high volume of traffic, which leads to an increasing likelihood of intercepting useful data for nefarious use later. Especially as many Internet users tend to use the same passwords and usernames for a large proportion of their accounts .

According to a recent Netcraft web server survey that looked at nearly 959,000,000 websites, 66% of sites are powered by technology built around SSL, and that doesn't include email services, chat services, and a wide variety of apps available on every platform. 

For a business, if you are running and operating any type of Internet accessible server or services (web, email, transaction processing) that uses OpenSSL you are at risk of exposing your user bases secure information on the Internet.

Should I change my password?

This is a simple answer -  YES

 However, understand that until the vulnerability is fixed and a patch is applied to the server there is still a risk that data can be intercepted. Also, remember to use good password practices that combine case, numbers and symbols to create a complex passcode that is much harder to crack.

To help you remember your passcode create a passphrase or rhyme that uses the first letters of each word, numbers and symbols such as:

     ! I walk my kids to school @ 830 Every day = !Iwmkts@830ED

Unfortunately not all websites accept symbols in the passwords however I expect this will become more apparent in the very near future.

So, we operate servers that use OpenSSL what should we do ?

Apply updates and patches to your system as soon as they become available then notify all your end users and clients to change their passwords. To enhance security implement passcode type practices, enable symbols and the like within the system, also for internal purposes consider implementing strong authentication using token based solutions from companies like RSA.

What is Net Access doing about this ?

Net Access has a culture of operating highly secure infrastructure, systems and secure managed services. Our security team is constantly assessing all our platforms on an ongoing basis. We are proud to say that all systems are go, the customer portal was never at risk and we do not anticiapate any adverse effects due to the 'Hearbleed' crisis.

We are also working with vendors and partners to ensure any systems we interface with are also secured.