Heartbleed, the vulnerability which is the result of a coding error in the widely used OpenSSL encryption library has been hogging all the headline over the past few days, and rightly so, it represents a a huge risk to information security for consumers and businesses alike.
You could be forgiven though given the majority of the coverage, for believing that as long as you waited for affected websites to update and subsequently changed your passwords that you would be covered. Wrong, Heartbleed is more death by a thousand cuts than major cardio-vascular event. It’s certainly true that by far the most widespread immediate risk, certainly in terms of numbers of potentially impacted individuals, is in the exposure of sensitive information by vulnerable web servers, information that could include passwords and session cookies, but even once this initial wave of patching is done the residual risk will be enormous.
OpenSSL is not restricted to use in web servers, it is also employed over email protocols, chat protocols and secure Virtual Private Network services, it can also be found in a plethora of networking and security products around the world and this is where the long-haul work is set to begin. Many vendors have already begun investigating their products and services for the presence of vulnerable versions of the OpenSSL and the list of confirmed affected products continues to grow. This promises to be an open season for targeted attackers.
When a targeted attack is a carried out against a corporate victim it can be broken down into a number of logical steps; intelligence gathering, point of entry, establishing command & control, lateral movement and exfiltration. It is during the lateral movement phase that the Heartbleed bug offers a highly effective and well-placed new weapon to the attacker’s arsenal. As the attacker begins to explore a compromised victim network they will now be routinely probing for the presence of the Heartbleed vulnerability on servers and clients both. If the bug is present it offers a silent and effective means to capture the credentials that will allow the attacker a route further into the compromised organisation and possibly even open doors which were previously closed.
Imagine if the software distribution mechanism that pushes out update packages through your organisation were compromised, just ask a well-known electronics store how that can work out. Imagine if an attacker could harvest credentials from all the employees as they logged in to the database holding your corporate crown jewels…
Of course the manufacturers and vendors are burning the midnight oil right now, identifying susceptible products and preparing patches, but it’s important to remember that issuing a patch does not resolve a problem. It’s the application of the patch that counts. Now is the time that you should be taking an inventory from every supplier you deal with identifying your exposure and working out your downtime and patch planning. Until you get those critical patches installed passwords are a dime a dozen at the all you can eat OpenSSL bar.