The interwebs have been abuzz with concern over the recently discovered “Heartbleed” vulnerability in certain versions of OpenSSL, and rightly so – some security researchers have gone so far to state that this bug is the worst that has ever hit the internet EVER. Documentation for sysadmins and techies regarding the technical details of the bug is readily available, so we are focusing our post today on the ramifications for the average Joe. If you are interested in the heady details, refer to http://heartbleed.com/.
Just because you are not a sysadmin responsible for identifying and patching affected servers, don’t for a minute think that you are out of the woods. Anybody who visits an affected website or other web service has the potential for communications with the site being leaked to an attacker who is hitting the same site. Take for instance the poor guy logging into his Yahoo! account in the screenshot below (credit arstechnica.com):
The attack is relatively simple – you fire off an excessively long (64 Kb) heartbeat message at an affected service, and the server happily responds with the usual 4 byte response and then spits out whatever happens to be adjacent in the next 64 Kb of memory. This could be login or credit card information that you happen to be passing back and forth with the server at the same time the attack is going on. Or, it could be administrative credentials or SSL keys that could facilitate persistent attacks on the server lasting long after the server is patched.
In the coming days, weeks, months (GASP!), the entire modern world will be dependent upon all of these web hosts to update their services in order to protect their users’ information. We will also be at their mercy to identify whether SSL certificates or other sensitive admin information has been compromised. Rest assured the certificate authorities will be flooded with reissue requests. Perhaps the scariest part of the bug is that the attack itself leaves no trace in the logs of an affected service. In order to detect an attack, specially designed honeypots or IPS rules must be employed and monitored – for the vast majority of affected services in the world, there will be a time period in which there is no way to tell if the bug was being exploited.
There are a few little things that we can all do as internet consumers to reduce our individual vulnerability footprint:
- Check the sites that you use yourself – several websites exist which allow you to enter a website address and it will test the site for the vulnerability and report back to you. If it is still vulnerable, then stay the heck off of it. Note that some of the responses can be a little buggy so it is wise to run several checks:
- Change your passwords – many popular sites including Yahoo and Flickr were, at least for a time, vulnerable. While they may be patched now, changing passwords on these sites would be prudent. Lists of popular affected websites abound. Some examples:
- Don’t re-use passwords – I know easier said than done, however password re-use exponentially increases the chances that one (or more) of your accounts will be compromised. If you fall into the “same username and password for EVERYTHING” category, it is a good idea to go ahead and change passwords for internet banking and other critical sites even if they were not affected. While you are at it, use a password manager like LastPass or KeyPass to generate random passwords and store them for you.