On Tuesday 8th April 2014 a serious security vulnerability capable of exposing private data from web servers running OpenSSL was discovered. OpenSSL runs on a purported 66% of all web servers on the internet; many of which you use every day.
OpenSSL is an open source framework providing web servers with a means of implementing the SSL protocol to ensure security of data between client devices on the internet and the web servers holding the privileged information. MITRE, a US not-for-profit organisation managing Federally Funded Research and Development Centres, published CVE-2014-0160 which in turn linked to http://heartbleed.com/ where one can find a “friendly” explanation of the exploit.
In short, the vulnerability (which has been present for 2 years but only recently discovered) permits a malicious party to form an SSL request in such a way that the server will return a small block (64k) of data from its memory to the attacker. Due to the nature of how memory in servers (and PCs in general) works, there’s every chance that this data could be something that a company really wouldn’t wish to leak; such as a username and password for one of their users in plain text or the private key to a certificate. Twitter was rife with examples of this but thankfully passwords were redacted!
Contrary to best practice, a lot of us use the same, or similar, passwords for multiple services and the risk here is that if your credentials for one service were compromised and an attacker had these, there’s no reason why those credentials wouldn’t work on other websites and services.
Do you need to act?
Simply put, yes! Change all of your online passwords as soon as possible and ensure the passwords you set follow best practice. A strong password is:
Varied: Make sure you use characters from three or more character sets (lowercase, UPPERCASE, numbers and symbols)
Memorable: Choose something that you don’t need to record elsewhere in order to remember it
Unique: Choose something that you haven’t already used elsewhere so should it be compromised it will not provide access to other services
Mashable created a hit list of common sites detailing whether they had been affected and if password changes were recommended. This is a good place to start your password resetting journey! If you want to test any of your favourite websites for vulnerabilities, Italian cyber security expert, Filippo Valsorda has created a simple checking tool. Just input the URL of the website you’re concerned about and it will confirm its vulnerability status.
OpenSSL released a patch for this issue very quickly and it was simple to apply but obviously some of the larger services and sites on the internet will have experienced a more lengthy time to fix due to the sheer quantity of servers to patch. Once the patch was applied then it was recommended that server administrators renew any SSL certificates from their certificate authority before then encouraging their userbase to change their passwords.
The action points for the general public following this outbreak are that you should change your passwords regularly using the guidelines above and use two-factor authentication where possible to minimise risk.
– Ben Moses
Senior Cloud Engineer