Skip to main content

8 Tips For Dealing With Heartbleed Right Now

This has been a fun two weeks. We have not had a significant cyber event like this, an event that affects just about everybody on the Internet, since the Kaminsky DNS vulnerability of 2008. [1] Everybody I know has been scrambling to understand what it means to their organization, to their business and to their immediate family. Yes, I said family. I am sure I am not the only one who has answered a question or two from their mother-in-law about how the Internet is melting down based on what she’s been reading in the press.. I am not going to explain how the vulnerability might make a hacker’s day. If you need that, here are two posts that do that quite well: one by Scott Simpkin at Palo Alto Networks [2] and another by Dan Gooden over at ars technica [3]. What I want to do is talk about the Top Eight things I am doing right now to protect Palo Alto Networks and my home (and mother-in-law).

#1: Don’t Panic: Yes, this is a serious issue and it that has been available for exploitation for over two years. But the chances that hackers have successfully exploited you or your organization are pretty small. Check your trap lines for sure but let’s get on with the business of cleaning up on isle nine.

#2: Monitor Palo Alto Networks IPS vulnerability Signature ID 36416, 36417, 36418, 40039: For Palo Alto Networks customers, monitor IPS vulnerability signature ID 36416, 36417, 36418, 40039 for signs of activity. We released those signatures on April 9 and April 10 and they can automatically detect and block attempted exploitation of the vulnerability. If you’re a Palo Alto Networks customer with an up-to-date subscription, you’re covered.[4]

#3: Identify and Patch Your Affected Systems: I know that this sounds obvious but don’t assume you know. Run your local scanners across your network to discover any Open SSL instances that might have popped up without your knowledge. I know that both Tripwire and Qualys say their tools find the vulnerability. I am sure most commercial scanners also do at this point. Use them.

#4: Ping your cloud application providers to see where they are in the cleanup process: Salesforce.com has already announced that their systems are unaffected by this vulnerability. But you are probably using a handful of other cloud providers for other tasks like HR, Payroll, ERP, etc. Make sure you know who they are and ensure they are cleaning up the same way that you are. If you are curious, Brian Krebs recommends using Filippo Valsorda’s site -- http://filippo.io/Heartbleed/ -- to check for vulnerable systems. [5] You can also use these two locations:

LastPass: https://lastpass.com/heartbleed/
Qualys: https://www.ssllabs.com/ssltest/

#5: New Keys: For all affected systems, acquire new key certificates, revoke your old ones and install the new ones. Because of the way the vulnerability works, hackers who have compromised your servers with this Heartbleed weakness may have stolen your private keys. Even after you patch your systems, these guys would still have your private keys. Get a new set of keys.

#6: Inform Your Customers if you Found Vulnerable Systems: This is key. Your customers should already be asking you if you have been affected (See #3), but there will be some that do not. As a matter of trust, you should be very public about your cleanup efforts. Do not shy away form this. Since this vulnerability is widespread, you will not be alone in your efforts and maybe you can help some other organization who is not as clear thinking as you are about how to do this cleanup.

#7: Change Passwords: Once you have patched your systems, changed your keys, ensured that your cloud providers also accomplished those tasks, then it is time to change the passwords for all users on those systems. Do not do this until everything else is done though because if you do, hackers who are hanging out on systems that have not been patched or systems where the keys have not been changed can still read your new password. It does not make sense to change your password until the other tasks are done.

#8: Beware of the inevitable phishing campaign: Soon you will start to see phishing email messages telling you that you must immediately change your password in order to protect yourself from the Heartbleed vulnerability. They will most likely have a link embedded in the message pointing you to a sight that looks very much like your ERP, HR or payroll site, but in fact, it will be a site cleverly designed to collect your credentials. Don’t do that. 

In the long, consider Installing Perfect Forwarding Secrecy (PFS), as Twitter did last year [6], in order to ensure that a session key derived from a stolen private key and a collected public key in the future will not be compromised. PFS solves the very problem that we are changing our keys now to prevent.

Note

I published a version of this essay on the Palo Alto Networks research blog but I thought I would post it here also to reach the widest audience possible. [7]

Sources

[1] “Understanding Kaminsky's DNS Bug,” By Cory Wright, Linux Journal, 25 July 2008, Last Visited 11 April 2014,
http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug

[2] “Real-world Impact of Heartbleed (CVE-2014-0160): The Web is Just the Start,” by Scott Simpkin, Palo Alto Networks Research Blog, 10 April 2014, Last Visited 11 April 2014
http://researchcenter.paloaltonetworks.com/2014/04/real-world-impact-heartbleed-cve-2014-0160-web-just-start/

[3] “Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping: Exploits allow attackers to obtain private keys used to decrypt sensitive data.” by Dan Goodin, arstechnica, 7 April 2014, Last Visited 11 April 2014.
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

[4] “Palo Alto Networks Addresses Heartbleed Vulnerability (CVE-2014-0160),” by Scott Simpkin, Palo Alto Networks, 9 April 2014, Last Visited 11 April 2014,
http://researchcenter.paloaltonetworks.com/2014/04/palo-alto-networks-addresses-heartbleed-vulnerability-cve-2014-0160/

[5] “‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys,” by Brian Krebs, Krebs on Security, 8 April 2014, Last Visited 11 April 2014,
http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/comment-page-2/

[6] “Explaining perfect forward secrecy,” by Richard Mortier, Phys.Org, The Conversation, 2 Dec 2013, Last Visited 11 April 2014,
http://phys.org/news/2013-12-secrecy.html

[7] “8 Tips For Dealing With Heartbleed Right Now,” by Rick Howard, Palo Alto Networks Research Blog, 12 April 2014, Last Visited 15 April 2014,
http://researchcenter.paloaltonetworks.com/2014/04/8-tips-dealing-heartbleed/

Comments

Popular posts from this blog

Books You Should Have Read By Now

When I started Terebrate back in January 2010, I always intended it to be a place to put my book reviews on whatever I was reading. Since then, a lot has happened in my professional life. I changed jobs, twice. I presented my collection of cybersecurity book reviews at the annual RSA Conference and suggested that the cybersecurity community ought to have a list of books that we all should have read by now. My current employer, Palo Alto Networks, liked the idea so much that they decided to sponsor it. We ended up creating the the Rock and Roll Hall of Fame  for cybersecurity books. We formed a committee of cybersecurity experts from journalists, CISOs, researchers and marketing people who were all passionate about reading. My collection became the the candidate list and for the past two years, the committee, with the help of community voting, has selected books from the candidate list to be inducted into something we are calling the Cybersecurity Canon. It ha...

Book Review: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll

Executive Summary This book is a part of the cyber security canon. If you are a cyber security professional, you should have read this by now. Twenty years after it was published, it still has something of value to say on persistent cyber security problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. If you are not a cyber security professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful. Introduction The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, author...

Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen (2011)

Executive Summary Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin , Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the...