Tuesday, April 15, 2014

8 Tips For Dealing With Heartbleed Right Now

This has been a fun two weeks. We have not had a significant cyber event like this, an event that affects just about everybody on the Internet, since the Kaminsky DNS vulnerability of 2008. [1] Everybody I know has been scrambling to understand what it means to their organization, to their business and to their immediate family. Yes, I said family. I am sure I am not the only one who has answered a question or two from their mother-in-law about how the Internet is melting down based on what she’s been reading in the press.. I am not going to explain how the vulnerability might make a hacker’s day. If you need that, here are two posts that do that quite well: one by Scott Simpkin at Palo Alto Networks [2] and another by Dan Gooden over at ars technica [3]. What I want to do is talk about the Top Eight things I am doing right now to protect Palo Alto Networks and my home (and mother-in-law).

#1: Don’t Panic: Yes, this is a serious issue and it that has been available for exploitation for over two years. But the chances that hackers have successfully exploited you or your organization are pretty small. Check your trap lines for sure but let’s get on with the business of cleaning up on isle nine.

#2: Monitor Palo Alto Networks IPS vulnerability Signature ID 36416, 36417, 36418, 40039: For Palo Alto Networks customers, monitor IPS vulnerability signature ID 36416, 36417, 36418, 40039 for signs of activity. We released those signatures on April 9 and April 10 and they can automatically detect and block attempted exploitation of the vulnerability. If you’re a Palo Alto Networks customer with an up-to-date subscription, you’re covered.[4]

#3: Identify and Patch Your Affected Systems: I know that this sounds obvious but don’t assume you know. Run your local scanners across your network to discover any Open SSL instances that might have popped up without your knowledge. I know that both Tripwire and Qualys say their tools find the vulnerability. I am sure most commercial scanners also do at this point. Use them.

#4: Ping your cloud application providers to see where they are in the cleanup process: Salesforce.com has already announced that their systems are unaffected by this vulnerability. But you are probably using a handful of other cloud providers for other tasks like HR, Payroll, ERP, etc. Make sure you know who they are and ensure they are cleaning up the same way that you are. If you are curious, Brian Krebs recommends using Filippo Valsorda’s site -- http://filippo.io/Heartbleed/ -- to check for vulnerable systems. [5] You can also use these two locations:

LastPass: https://lastpass.com/heartbleed/
Qualys: https://www.ssllabs.com/ssltest/

#5: New Keys: For all affected systems, acquire new key certificates, revoke your old ones and install the new ones. Because of the way the vulnerability works, hackers who have compromised your servers with this Heartbleed weakness may have stolen your private keys. Even after you patch your systems, these guys would still have your private keys. Get a new set of keys.

#6: Inform Your Customers if you Found Vulnerable Systems: This is key. Your customers should already be asking you if you have been affected (See #3), but there will be some that do not. As a matter of trust, you should be very public about your cleanup efforts. Do not shy away form this. Since this vulnerability is widespread, you will not be alone in your efforts and maybe you can help some other organization who is not as clear thinking as you are about how to do this cleanup.

#7: Change Passwords: Once you have patched your systems, changed your keys, ensured that your cloud providers also accomplished those tasks, then it is time to change the passwords for all users on those systems. Do not do this until everything else is done though because if you do, hackers who are hanging out on systems that have not been patched or systems where the keys have not been changed can still read your new password. It does not make sense to change your password until the other tasks are done.

#8: Beware of the inevitable phishing campaign: Soon you will start to see phishing email messages telling you that you must immediately change your password in order to protect yourself from the Heartbleed vulnerability. They will most likely have a link embedded in the message pointing you to a sight that looks very much like your ERP, HR or payroll site, but in fact, it will be a site cleverly designed to collect your credentials. Don’t do that. 

In the long, consider Installing Perfect Forwarding Secrecy (PFS), as Twitter did last year [6], in order to ensure that a session key derived from a stolen private key and a collected public key in the future will not be compromised. PFS solves the very problem that we are changing our keys now to prevent.


I published a version of this essay on the Palo Alto Networks research blog but I thought I would post it here also to reach the widest audience possible. [7]


[1] “Understanding Kaminsky's DNS Bug,” By Cory Wright, Linux Journal, 25 July 2008, Last Visited 11 April 2014,

[2] “Real-world Impact of Heartbleed (CVE-2014-0160): The Web is Just the Start,” by Scott Simpkin, Palo Alto Networks Research Blog, 10 April 2014, Last Visited 11 April 2014

[3] “Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping: Exploits allow attackers to obtain private keys used to decrypt sensitive data.” by Dan Goodin, arstechnica, 7 April 2014, Last Visited 11 April 2014.

[4] “Palo Alto Networks Addresses Heartbleed Vulnerability (CVE-2014-0160),” by Scott Simpkin, Palo Alto Networks, 9 April 2014, Last Visited 11 April 2014,

[5] “‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys,” by Brian Krebs, Krebs on Security, 8 April 2014, Last Visited 11 April 2014,

[6] “Explaining perfect forward secrecy,” by Richard Mortier, Phys.Org, The Conversation, 2 Dec 2013, Last Visited 11 April 2014,

[7] “8 Tips For Dealing With Heartbleed Right Now,” by Rick Howard, Palo Alto Networks Research Blog, 12 April 2014, Last Visited 15 April 2014,

No comments:

Post a Comment