Heartbleed Tactics for Small IT Shops
Video: Understanding the nature of the Heartbleed bugProtect your sites—and your servers—from Heartbleed. Learn how to audit, test, and fix vulnerability issues associated with OpenSSL.
Protect your sites—and your servers—from Heartbleed. This course is aimed at administrators that maintain their own small servers, and provides the information needed to diagnose as well as fix any problems. David Gassner shows how to test your secure servers, fix the services that use the compromised OpenSSL software, and audit your other vulnerable systems.
Understanding the nature of the Heartbleed bug
As has been widely publicized, a severe hole in internet security, known as The Heartbleed Bug has been discovered. This bug affects a significant percentage of secure HTTP servers around the world. Heartbleed is a bug in OpenSSL, an open Source Software Package that's widely used to manage security certificates and encryption between internet clients and servers. It primarily affects HTTP servers, the servers that host websites, and specifically HTTP servers that use OpenSSL versions 1.0.1, through 1.0.1f.
This isn't an architectural problem with OpenSSL itself, it's just some bad code that was introduced into the product. The bug is in the implementation of the Transport Layer Security protocol, or TLS and specifically, a part of the protocol known as the heartbeat extension. The heartbeat extension is used to create a handshake between a client and a server, as they initiate encrypted communication. The problem, is that this bug allows memory and data to leak through.
Here's the technical description, a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. 64k doesn't sound like a lot, but this hole in the security of the TLS heartbeat extension can be exploited over and over again once it's been discovered. This means that servers and client computers, and even mobile devices such as cell phones and tablets that are connected to the internet are potentially vulnerable if they use particular versions of Open SSL.
As an IT administrator or business owner, it's critical to understand the nature of the bug, how to find out whether your systems are vulnerable, and how to go about fixing the issue. Here's the sort of data that can be leaked through the Heartbleed bug. Primary keys are the digital security certificates, that manage encryption. These are the keys to the kingdom. And the heartbleed bug lets those leak from server memory. Also, secondary keys such as user credentials, user names and passwords, or other information that's being used to authenticate users can be leaked.
Once that information has been compromised it's possible to get to other protected contents, information as sensitive as credit card numbers. And finally, collateral information such as memory addresses or other internal technical info. Some of this information is temporary and transient. For example, if someone has captured memory addresses. From a current server session it wouldn't be useful once you've updated OpenSSL to a safe version, and restarted your server. But everything else that might have been compromised needs to be closely evaluated, and if warranted, it needs to be changed.
This is laborious and a major pain, but it might be necessary. Don't underestimate this issue. If you secure hosted services, you should immediately find out whether your systems need attention. Some organizations including national governments, have actually shut down critical web-based services until they're confident that this bug has been corrected on their servers. It's that serious. Deal with it now and you might save yourself some bigger trouble down the road.
You can easily find out whether your systems are vulnerable, if they are vulnerable it's tough to know what information might have been stolen, if any, so it's best to be safe. Security experts world wide are recommending that you change or replace potentially compromised security assets, such as certificates, passwords, and so on. To learn more about the bug and find resources to deal with it, go to the website that's been set up for this purpose at heartbleed.com. This webpage will be kept up to date as information develops.
It includes information about the nature of the bug, and, down at the bottom at the page, a list of resources that you can use to find out how to deal with particular servers. In the following movies I'll describe key strategies you can follow, to find and fix vulnerabilities in your own systems.
There are currently no FAQs about Heartbleed Tactics for Small IT Shops.