The Heartbleed Bug
14th April 2014
Yesterday was an interesting and busy day for those on both sides of the information security fence.
A critical vulnerability was publicly disclosed in the widely used library OpenSSL, which forms the core of many SSL/HTTPS provisions. If you want to read more information from the original source, Heartbleed is the place to start. What is it? Without getting too technical, the flaw allows a malicious and unauthorised third party to access protected data in memory. The exact data access is random, but there have been corroborated reports finding clear-text passwords, private SSL keys and other sensitive data which would negatively impact the security of your systems, users and clients. How to determine if you're vulnerable? The vulnerability effects any service utilising OpenSSL version 1.0.1 through to OpenSSL version 1.0.1f. If you (or your in-house sysadmin) can confirm that your SSL implementation isn't running any of the effected versions, you're safe from this particular weakness. Unfortunately, OpenSSL is widely used and embedded into many other appliances and application stacks. Since the notification yesterday, a number of websites have been released to enable you to enter your system name/IP address and the site will check for you. However, what a third party may do with the information once determining your system is vulnerable is beyond your or our control. Clients which take regular security testing from Onyx Group will automatically have the checks run against their systems during the next scheduled assessments. If you would like to bring your assessment forward for this check, please contact your Account Manager or Security Support. If you're not already taking advantage of Onyx Group' vulnerability management services, fear not; we have a dedicate package just covering this issue to provide rapid peace of mind. Existing clients just contact your account manager; new clients, please contact firstname.lastname@example.org or 0845 345 5758. What to do if your systems are vulnerable? Upgrade OpenSSL, a fix has already been developed and released. Depending on your operating system and configuration this may be as simple as issuing a single command, or more complex. If you would like additional assistance or advice, please contact us. It has also been suggested that you re-issue your SSL certificates on effected services. Please contact your certificate provider for further information. What to do if you've used a vulnerable system? There have been reports of some systems, including the likes of Yahoo!, leaking user passwords as a result of the vulnerability. It is recommended that you change your password (and any other system where the password has been re-used, against best advice); however this will only help AFTER the flaw in the effected system is fixed. Where possible, upgrading your authentication to utilise two factor authentication (2FA) will remove this aspect of the risk. To remove a large class of potential attacks against your users and systems, why not contact Onyx Group to add 2FA protection to your environment? To keep up to date with breaking IT news, follow OnyxGroupUK on Twitter or Onyx Group' tamed security geek Infosanity.