Friday, April 11, 2014

Heartbleedbreaker

   Well, I had no intention of talking about this topic!  But there is so much confusion and misinformation out there.  And the mainstream media is really having a field day.

   So I'm jumping in with some facts, a few opinions, and some action steps that you be taking now.

   First we'll look at the consumer/user side of things.  Then the organization side.  Finally, I'll talk a bit more about what this is and what this isn't.

   If you use the Internet and enter any personal or financial information on any website, then you might be effected by this issue. To find out, follow these steps:

  1. Check with your providers - your bank, your shopping sites - to see if they have fixed the problem (or never had it in the first place).  You can check their website or blog for info.  Some providers are notifying customers (my bank did that).
  2. Test the site to see if it's affected.  There are a number of tools available including these:
  3. Once you know or verify that the site has been fixed, then you should change your password for that site.
   I've written about passwords in the past.  And I've also stated that I am a fan of LastPass.  Well, if LastPass wasn't already a great product, they now have a built-in Heartbleed test.  By running the security check on your passwords, LastPass will let you know which sites were or are susceptible, which have been fixed, and which ones are ready for password changing.  Read their article here.

   Next, if you have responsibility for security or servers at your organization, here's what you need to do:
  1. Inventory - you need to figure out where all your web servers are or how you are serving web content.  There are a number of aspects to consider:
    • web servers in your data center - this should be the easiest.  Microsoft IIS is typically not effected.
    • web servers not in your data center - check under people's desks!  This is also a great opportunity to figure out what "other" systems might be serving web content.
    • hosted/SaaS solutions - check with your cloud partners for there vulnerabilities - always a good idea!
    • other front ends - proxies, ssl-accelerators, ssl vpn's, load balancers, jumpstations
    • and don't forget about embedded devices with web administrative interfaces
  2. Figure out what's vulnerable - that's anything that uses Open_SSL 1.01 through 1.01f
  3. Fix it!
    • upgrade to 1.01g! (or recompile without the heartbeat option)
    • revoke your existing certs and keys
    • issue new certs and keys
  4. Tell people you fixed it! - your customer and users need to know when they can follow the consumer instructions above.
   Finally, here's a bit more info on the exploit.  As we all know, this is a "feature" of Open_SSL, the open source transport security product that powers many e-commerce websites.  Mainstream media has said that 80% of the Internets' websites are effected.  However, Internet discovery site Netcraft shows that only 17% of the world's sites even use Open_SSL at all!  So that is the highest percentage of sites that could be effected.  That is still a huge number of sites.  So we must not take this lightly.  But we also shouldn't blow it out of proportion.

   Hopefully are taking care of both your personal account and your company's sites.

   And... for you xkcd fans out there:

No comments:

Post a Comment