April 11, 2014 SSL, THREATS & ATTACKS, VPN, VULNERABILITIES

The Heartbleed Vulnerability

What is the Heartbleed Bug?  And why is this recently discovered software flaw triggering so many alarm bells?

Let me begin by explaining that the Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

What type of devices, aside from web servers, are affected by Heartbleed, you ask?

First of all, OpenSSL is used in many other places, not just web servers. SSL VPN for example, uses it.  Encrypted FTP might use it as well.  Any time you have a server application that uses encryption, OpenSSL is likely to be involved. So it isn’t so much as what type of devices, but rather, what types of applications. This is a server side vulnerability, which will affect any server application using encryption, including proprietary applications.

Next, the issue of updating – how likely are they to be updated? My answer is short and sweet, they_had_better_be. This vulnerability is serious and not yet fully exploited. I wouldn’t be surprised to see various exploits pop up in the next days.

Which begs the obvious next question – which of those are most critical?  To this, I’d ask “why are you encrypting?”

If it isn’t critical, it’s more than likely that you won’t even spend time setting up encryption, certificates and all it takes to ensure you’re protecting whatever it is that you’re protecting –a connection between  a server and client, for an application that requires privacy. So, all are critical, period. Otherwise, you wouldn’t be encrypting.

This is one of those vulnerabilities wherein it_is_absolutely fundamental to update, patch and ensure your IPS has proper protection, for itself and for you.

In fact, don’t underestimate the importance of your firewall, VPN device and IPS being updated by your vendor as well. If you patch your server and your VPN concentrator isn’t updated, you remain vulnerable. And in a place where you might not even have thought to look. So don’t just look at your servers; look also at all your vendors and ask them what they’re doing to address this.

And why this is of such importance is that free vulnerability tools are being offered to help users determine whether they have the problem or not.  It’s imperative that anyone using encryption, patches their systems.  Understand this though, even if your internet protection layers have been updated and the IPS has signatures, not all possible exploits are known yet and there’s always a chance that something will slip through your gateway protection.

So, do not delay or hesitate or wait because I’m positive hackers won’t!