Don’t ignore this warning: Heartbleed Vulnerability in OpenSSL
This year portends to be one of vulnerability. To be sure that you are on top of this, keep visiting http://cve.mitre.org/ and www.securityfocus.com. These sites provide reports about publicly known information on security vulnerabilities and exposures. The Heartbleed vulnerability was discovered on 7th April 2014.
I have found www.securityfocus.com and must use resources during my over 6 years of computer security, fraud examination and forensics. You will surely find something new, in an easy to follow format.
Today, I received several warnings from my five different service providers. The one from GeoTrust stood out. And below is the warning in full. If you use any of their services, please take action NOW.
GeoTrust is aware of the vulnerability, dubbed “Heartbleed”, which is a security concern for users of OpenSSL, a widely-used opensource cryptographic software library. It can allow attackers to read the memory of the systems using vulnerable versions of OpenSSL library (1.0.1 through 1.0.1f). This may disclose the secret keys of vulnerable servers, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed, which conceivably could include usernames and passwords of users or other data stored in server memory.
To be clear, this is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS nor certificates issued by GeoTrust. At no time were GeoTrust’s SSL or Code-Signing roots and intermediates at risk, nor was there ever an issue with GeoTrust certificates.Steps to Success:
Identify if your web servers are vulnerable (running OpenSSL versions 1.0.1 through 1.0.1f with heartbeat extension enabled). Use our SSL Toolbox to detect this. If you’re running a version of OpenSSL prior to 1.0.1, no further action is required.
If your server is impacted, update to the latest patched version of OpenSSL (1.0.1g), or recompile OpenSSL without the heartbeat extension.
Generate a new Certificate Signing Request (CSR).
Reissue any SSL certificates for affected web servers using the new CSR (do this after moving to a patched version of OpenSSL).
Install the new SSL certificate and test your installation.
After the new certificate is successfully installed, revoke any certificates that were replaced.
Website administrators should also consider resetting end-user passwords that may have been visible in a compromised server memory.
Always refer back to the Knowledge Base for more information.
If you have additional questions, please contact your SSL Reseller for further support and more information.
If you don’t know yet about the Heartbleed vulnerability, click here.
If you use-online services like on-line banking, paid membership or subscription and other sites that use the OpenSSL, go change your passwords now.
The bug was discovered by Neel Mehta of Google Security. Below is a summary of the vulnerability:
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
If you use dual authentication, it is unlikely that you are exposed to this vulnerability, as the hacker will need the unique code that is sent to your mobile phone after a successful login via unregistered computer or device. That is why it is important to use services of dual authentication especially for cloud email services, on-line banking and similar high-value online resources.
Click on the following links to find more resources about the vulnerability.
http://heartbleed.com/. This site contains all information you need to know about the vulnerability. It is critical resource and you must read it all.
Copyright Mustapha B Mugisa, 2014. All rights reserved.