Sunday, April 13, 2014

Bleeding Heartbeats Part II: What do I do now?



The worst part about the Heartbleed Bug – the OpenSSL vulnerability that many people are still unaware of (if you count a number of recent dinner conversations I've had) is that, once one becomes aware of the vulnerability, there is a lot of FUD around protecting ourselves against the damage this might have brought about.  The main issues are: 
  1. Is the server at website "X" now patched?
There are a number of resources that will enable you to check.  Most major websites are posting notices on their website to address user concerns.  Mashable has put together a good list with some guidance for the most popular sites.
  1. Was it ever vulnerable in the first place?
Hard to tell.  Unless the site has made a statement (or been outed as vulnerable), it’s difficult to determine what TLS/SSL stack the site is using unless they openly post the details (e.g. OpenSSL 0.9.8k or .  You can always do a scan if the site has not made a statement and you’d like to verify. 
  1. If it is patched, should I change my password?
Not necessarily.  You want to make sure that the site has either declared that they were never vulnerable or determine if they have had their SSL certificate reissued since April 8, 2014 if they were exposed.  It’s unclear if there is a backlog for certificate reissuance but it is possible that it may take a week or more for all affected sites to get a new certificate.  Less-trafficked sites who do not have personnel dedicated to security may still leave themselves exposed.  

LastPass has created an excellent tool which will give detailed guidance regarding necessary password changes, including a check for SSL certificate reissue, if you have been using them to store your passwords. 
  1. How do I check the certificate of a server to make sure it’s been reissued?
You would click on the lock icon for your browser (check these links for Internet Explorer, Chrome, Firefox, Safari, Opera).  Hosting.com also has a good article on this. 

Caveat(s): a site may not have had their certs reissued if they were not vulnerable.  I’ve also heard that some sites place the original issue date on the certificate, even if it’s been re-issued, although I have not confirmed this.  So check the certificate but understand this is not foolproof. 
  1. Are client-side applications vulnerable?
Yes.  CERT is maintaining a list which can help you find any affected vendors you may be using.
  1. I’ve gotten an email from my [bank, tax website, etc] asking me to click on a link to change my password, is this safe?
No.  The scope of this vulnerability means that phishers will be having a field day enticing users to click on their malicious links or hand over their passwords to an untrusted third party.  

Although this may be a legitimate email from your bank, err on the side of caution and go directly to the website that has asked you to change your password.  The same goes for any calls you may receive asking you for credentials; no legitimate company today should be asking users for their passwords outside of normal access control for the site.
  1. I’ve completed all recommended best practices, am I safe now?
Safety on the Internet is something of an oxymoron but yes, if you have checked the site to ensure it is protected and changed your password on the site, that’s the best you can do for now, although you should turn on two-factor authentication and follow the guidelines in my previous post