Skip to main content

8 Tips For Dealing With Heartbleed Right Now

This has been a fun two weeks. We have not had a significant cyber event like this, an event that affects just about everybody on the Internet, since the Kaminsky DNS vulnerability of 2008. [1] Everybody I know has been scrambling to understand what it means to their organization, to their business and to their immediate family. Yes, I said family. I am sure I am not the only one who has answered a question or two from their mother-in-law about how the Internet is melting down based on what she’s been reading in the press.. I am not going to explain how the vulnerability might make a hacker’s day. If you need that, here are two posts that do that quite well: one by Scott Simpkin at Palo Alto Networks [2] and another by Dan Gooden over at ars technica [3]. What I want to do is talk about the Top Eight things I am doing right now to protect Palo Alto Networks and my home (and mother-in-law).

#1: Don’t Panic: Yes, this is a serious issue and it that has been available for exploitation for over two years. But the chances that hackers have successfully exploited you or your organization are pretty small. Check your trap lines for sure but let’s get on with the business of cleaning up on isle nine.

#2: Monitor Palo Alto Networks IPS vulnerability Signature ID 36416, 36417, 36418, 40039: For Palo Alto Networks customers, monitor IPS vulnerability signature ID 36416, 36417, 36418, 40039 for signs of activity. We released those signatures on April 9 and April 10 and they can automatically detect and block attempted exploitation of the vulnerability. If you’re a Palo Alto Networks customer with an up-to-date subscription, you’re covered.[4]

#3: Identify and Patch Your Affected Systems: I know that this sounds obvious but don’t assume you know. Run your local scanners across your network to discover any Open SSL instances that might have popped up without your knowledge. I know that both Tripwire and Qualys say their tools find the vulnerability. I am sure most commercial scanners also do at this point. Use them.

#4: Ping your cloud application providers to see where they are in the cleanup process: has already announced that their systems are unaffected by this vulnerability. But you are probably using a handful of other cloud providers for other tasks like HR, Payroll, ERP, etc. Make sure you know who they are and ensure they are cleaning up the same way that you are. If you are curious, Brian Krebs recommends using Filippo Valsorda’s site -- -- to check for vulnerable systems. [5] You can also use these two locations:


#5: New Keys: For all affected systems, acquire new key certificates, revoke your old ones and install the new ones. Because of the way the vulnerability works, hackers who have compromised your servers with this Heartbleed weakness may have stolen your private keys. Even after you patch your systems, these guys would still have your private keys. Get a new set of keys.

#6: Inform Your Customers if you Found Vulnerable Systems: This is key. Your customers should already be asking you if you have been affected (See #3), but there will be some that do not. As a matter of trust, you should be very public about your cleanup efforts. Do not shy away form this. Since this vulnerability is widespread, you will not be alone in your efforts and maybe you can help some other organization who is not as clear thinking as you are about how to do this cleanup.

#7: Change Passwords: Once you have patched your systems, changed your keys, ensured that your cloud providers also accomplished those tasks, then it is time to change the passwords for all users on those systems. Do not do this until everything else is done though because if you do, hackers who are hanging out on systems that have not been patched or systems where the keys have not been changed can still read your new password. It does not make sense to change your password until the other tasks are done.

#8: Beware of the inevitable phishing campaign: Soon you will start to see phishing email messages telling you that you must immediately change your password in order to protect yourself from the Heartbleed vulnerability. They will most likely have a link embedded in the message pointing you to a sight that looks very much like your ERP, HR or payroll site, but in fact, it will be a site cleverly designed to collect your credentials. Don’t do that. 

In the long, consider Installing Perfect Forwarding Secrecy (PFS), as Twitter did last year [6], in order to ensure that a session key derived from a stolen private key and a collected public key in the future will not be compromised. PFS solves the very problem that we are changing our keys now to prevent.


I published a version of this essay on the Palo Alto Networks research blog but I thought I would post it here also to reach the widest audience possible. [7]


[1] “Understanding Kaminsky's DNS Bug,” By Cory Wright, Linux Journal, 25 July 2008, Last Visited 11 April 2014,

[2] “Real-world Impact of Heartbleed (CVE-2014-0160): The Web is Just the Start,” by Scott Simpkin, Palo Alto Networks Research Blog, 10 April 2014, Last Visited 11 April 2014

[3] “Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping: Exploits allow attackers to obtain private keys used to decrypt sensitive data.” by Dan Goodin, arstechnica, 7 April 2014, Last Visited 11 April 2014.

[4] “Palo Alto Networks Addresses Heartbleed Vulnerability (CVE-2014-0160),” by Scott Simpkin, Palo Alto Networks, 9 April 2014, Last Visited 11 April 2014,

[5] “‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys,” by Brian Krebs, Krebs on Security, 8 April 2014, Last Visited 11 April 2014,

[6] “Explaining perfect forward secrecy,” by Richard Mortier, Phys.Org, The Conversation, 2 Dec 2013, Last Visited 11 April 2014,

[7] “8 Tips For Dealing With Heartbleed Right Now,” by Rick Howard, Palo Alto Networks Research Blog, 12 April 2014, Last Visited 15 April 2014,


Popular posts from this blog

Books You Should Have Read By Now

When I started Terebrate back in January 2010, I always intended it to be a place to put my book reviews on whatever I was reading. Since then, a lot has happened in my professional life. I changed jobs, twice. I presented my collection of cybersecurity book reviews at the annual RSA Conference and suggested that the cybersecurity community ought to have a list of books that we all should have read by now. My current employer, Palo Alto Networks, liked the idea so much that they decided to sponsor it. We ended up creating the the Rock and Roll Hall of Fame for cybersecurity books. We formed a committee of cybersecurity experts from journalists, CISOs, researchers and marketing people who were all passionate about reading. My collection became the the candidate list and for the past two years, the committee, with the help of community voting, has selected books from the candidate list to be inducted into something we are calling the Cybersecurity Canon. It has been very exciting.

This i…

Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen (2011)

Executive Summary
Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the highlights of…

Book Review: “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012)” by Parmy Olson

Executive Summary: 

This book is a must read for all cyber security professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. If you seek to understand the Hacktivist movement, this book is a primer.


The Anonymous Franchise really hit its stride between the years of 2010 and 2011. Hacktivism began earlier than that of course (1994 was the first documented case that I could find [12]), but it did not strike fear into the hearts of CEOs, CSOs and government officials until that two year run. It was the perfect storm of technology, disenfranchised youngish people, “Internet Pranks as an Art Form,” empowerment and the hacking culture that came together into a gigantic hairball of activity and energy that caused governments from around the world to double-clutch on some of th…