UPDATE: an exploit tool for Heartbleed has been published on the Packet Store Security hacker website. Lovely. It is called the Bleed Out Heartbleed Command Line Tool.
Oracle has just emailed it’s community about it. Here is the notice: Security Alert for OpenSSL vulnerability, Heartbleed for CVE-2014-0160. Oracle’s alert says:
Due to the severity and the reported exploitation of CVE-2014-0160 “in the wild,” Oracle strongly recommends applying the patches as soon as possible.
The New York Times article Heartbleed Internet Security Flaw Used in Attack describes an attack the day after the Heartbleed bug was made public. That didn’t take very long! Related to that incident, information security company Mandiant has a blog entry saying:
Mandiant incident responders have already identified successful attacks in the wild by targeted threat actors.
And, to top it off, the New York Times article Heartbleed Highlights a Contradiction in the Web is a very troubling and accurate article highlighting some very serious issues with open source: the funding (or more accurately, lack of funding), and the quality assurance process. It is an indictment against anyone who uses open source software, but does not contribute to the project (like me). Mea Culpa. But, I have lots of company: there are lots of for-profit companies that use open source technologies in their commercial products, but do not contribute.
Heartbleed is the rage. Everybody is talking about it. OK, ok. So, I need to write something. Here is the results of my research about Heartbleed:
Non-technical details:
Some good non-technical details are here: Avoiding Heartbleed Hype, What To Do To Stay Safe
An article about a possible conflict of interest related to this issue: Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed. Hhhhmmmmm….
Some people are wondering if the NSA was involved: The Switchboard: Has the NSA been snooping with Heartbleed?
Who knows? Remember that the Internet is a public network. Be careful what you say and do in public.
What you should do:
Read the entire Forbes article. It is pretty good, and exposes some of the hype: Avoiding Heartbleed Hype, What To Do To Stay Safe
Make sure your computers, smartphones, and tablets are patched.
Apple products do not have the vulnerability, so they don’t need to be patched.
I can’t figure out if Windows products need a patch or not. Probably should, just in case.
If you are running Windows XP, you should consider upgrading or switching because there are no more patches for Windows XP: Windows XP is a bigger hacker threat than Heartbleed. I personally believe this is a worse security problem than Heartbleed.
There may be a reason why Heartbleed news came out shortly after the sunset of Windows XP: Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed. Hhhhmmmmm….
If you are running Windows XP, and are tired of paying for new software, you could check out Ubuntu. It won’t run Windows programs, but it is a very friendly version of Linux, and almost all of the software on it is free, including Thurderbird email, and the LibreOffice office suite (word processing, spreadsheet, and presentation software, supposedly compatible with their MS Office counterparts).
After the dust settles, plan to do some password changes and credit card number changes. Here is the easiest way:
1) Get a new credit card.
2) Review your old credit card statement, and make a list of all automated charges.
3) Go to the websites to change the credit card number for the automated charges.
- Make sure the website is not vulnerable. The Forbes article tells you how (They may have a public statement on their website, or you can contact them to check.)
- Change your password.
- Enter your new credit card number.
- Save your changes.
4) Repeat until you’ve fixed all the sites where you have automated charges.
5) Cancel your old credit card.
If you have a hard time thinking up a new password, you can get a password manager to do it for you: The Best Password Managers
If you use a mobile device (tablet, smartphone), make sure whatever password manager you choose has mobile support.
When you want to go to a new site, that doesn’t know your new credit card number, just do step 3.
It’s a pain, but that way, it doesn’t matter if anyone knows your old credit card number or not – it’s not valid anymore.
Techno-geek details:
The people who found the vulnerability give a great amount of detail here: The Heartbleed Bug
Of course, heartbleed.com may be subject to a conflict of interest: Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed.
Another really excellent technical article: Everything you need to know about the Heartbleed SSL bug
It’s a pain for people who manage servers:
On the server side, a lot of people are racing around, trying to figure out if their products and websites are vulnerable, and scrambling to install fixed versions of software. Older products and websites are not affected. We actually have one client (who shall remain nameless) that installed an older version of their VPN gateway, so they would not be vulnerable. For people who are managing servers and websites, it is a big deal and a big pain.
I could be wrong, but I’m not sure it’s all totally golden advice.
Somebody correct me if I’m wrong.
> Make sure your computers, smartphones, and tablets are patched.
> …
>Get a new credit card.Not very useful unless he can give a list of everything that needs to be patched.
Not of much use unless he can give me a list of what needs to be patched.
And ripping up credit cards might be an overreaction.
This is mostly a server side problem, it’s the people running website that take credit card numbers
that need to do the patching. And unless the bad guys have been recording petabytes of internet traffic
or the NSA has been boosting their budget with credit card fraud, stuff you did over the net before the news
broke is probably not that much at risk.
The banks generally are not affected, as they use their own special server software.
I could be wrong, but I suspect all I need to do is to get VPN patched as per JLowry’s instructions.
Other than that, stuff I should normally do anyways.
Like keeping software updated, occasionally changing passwords, monitoring credit card accounts
for suspicious activity.
I haven’t seen anybody else recommend ripping up all credit cards, there’s plenty of security exposure
in having the bank mail you a new card. Should I get a new credit card every time I hand it
to a gas station attendant?
Though I have been laying low (amazon purchases, logging into banks) till this sorts out.
JerryG
Hi, Jerry.
At first, I agreed with you. But then, I did more research. Here is what I found:
The Other Side of Heartbleed – Client Vulnerabilities
https://isc.sans.edu/forums/diary/The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945
Not just websites hit by OpenSSL’s Heartbleed – PCs, phones and more under threat
http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/
What clients are proven to be vulnerable to Heartbleed?
http://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be-vulnerable-to-heartbleed
Reverse Heartbleed puts your PC and devices at risk of OpenSSL attack
http://www.pcworld.com/article/2142808/reverse-heartbleed-puts-your-pc-and-the-internet-of-things-at-risk.html
I know that any software that uses the affected versions of OpenSSL is potentially vulnerable (including any software on personal computing devices), but I was truly surprised by the number of articles that said “clients” – a.k.a. personal computing devices — were at risk. Of course, you can have software on your client device that is functioning as a server – to be considered a “server”, all it has to do is answer requests from other devices. As for which applications use OpenSSL, the list is potentially endless, since it is such a popular encryption platform, as well as being open source, so the price is right (free)… J
There is no disagreement that you need to change passwords at websites that are affected, or were affected at some time in the past.
You have to wait until the website has fixed their vulnerability, then do a password change, to be safe.
However, determining which sites are (or were) vulnerable is tough. The only criteria for a website to be affected is if it uses (or used) the vulnerable versions of OpenSSL. I don’t see bank websites (or any other websites) having special immunity to that rule.
Normal stuff (Like keeping software updated, occasionally changing passwords, monitoring credit card accounts for suspicious activity) continues to be a good idea. I would monitor debit cards too!
Any device that has software in it (and that is a BIG list) that also uses the vulnerable versions of OpenSSL can potentially be vulnerable. One web article said your TV could be vulnerable. Geeze! That seems a little overboard to me. I like your idea of patching your VPN. Most people might overlook that. It might also be good idea to patch your wired or wireless router.
Regarding credit cards: I don’t know about other people, but I have used my credit card at way too many web sites, and I haven’t been good about using strong passwords at all those websites (my bad).
You are correct that a gas station attendant, or waiter, or anyone else you hand your credit card to, is also a possible source of fraud. No question.
But, I figured that, if there is any time to update your security, it would be now. And part of updating your security should be changing credit card numbers.
So, I tried to think of a method that would be relatively painless, but still get the job done. So, that is what I wrote about.
If anyone wants more security information, I have created some content on my own website (https://www.dbdr.com) on this very topic. My website is not security nirvana, but the price is right. J There might be a few good ideas there too… The best website I know of for security information is http://isc.sans.org, but it is more technical, so I’m not sure a normal user would find much that is helpful there.
If anyone wants to discuss this, or any other security issue, I’m all ears.
I might even know something about the topic, or, then again, maybe not… J
I’m always willing to learn something new.
Jeff Kayser
Database Doctor, Inc.
https://www.dbdr.com
jeff.kayser@dbdr.com