Join David Gassner for an in-depth discussion in this video Auditing other vulnerable systems, part of Heartbleed Tactics for Small IT Shops.
- View Offline
The Heartbleed bug primarily affects servers using OpenSSL. But as an I.T. administrator or business owner, you need to consider other potential vulnerabilities. Here are some examples. Do you have any secured services that are running under OpenSSL but don't run over port 443, the standard HTTP secured port. These can include email servers, databases, LDAP directories, and so on.
Check them with the same care you use on your HTTP-based services. Do you have any custom business applications that make call to secured web service APIs? And are those services running with vulnerable versions of OpenSSL? You can test those web service domains with the same testing tools that I mentioned earlier. If you find a vulnerability, let the web service vendor know about it. Immediately stop using the service until the problem has been corrected. And change your user credentials before you start using it again.
OpenSSL is also used in some client installations. Client-side OpenSSL installations can be attacked to extract passwords and cryptographic keys from users' computers and gadgets. Check with the software vendor if you have any concerns about this. Pay particular attention to software that syncs up with cloud-based systems. That sort of syncing traffic is frequently encrypted and because OpenSSL is open source and free, it's very popular.
Also, if you have any client-side Linux installations, you can check their OpenSSL version using the same strategies as with the server versions. And it's not just computers that might be affected. There are also routers, video conferencing software, and desktop phones. Many of which use versions of Linux, and many of which use encrypted communication. If you're concerned about these devices, check the manufacturer's website. If the hardware is affected in any way, the manufacturer should let you know about it and provide instructions for upgrading.
And finally, there are the gadgets that so many of us carry around. Cell phones and tablets. Some particular examples include, Android 4.1.1, which is known to be vulnerable to the Heartbleed bug. If you have a Google Nexus device that's running this version of Android, you can and should immediately upgrade to the most recent version of the operating system. But other devices typically can only be upgraded once the vendor and in some cases, a carrier has tested and distributed the new version.
For cell phone users, if you have concerns about this, I recommend checking with your carrier. And if you have Blackberry devices, it's worth knowing that the devices themselves aren't known to be affected but there is some affected software. Specifically, Blackberry has said that versions of Secure Work Space corporate email and BBM messaging were affected. These software packages have been fixed and you should upgrade to the latest versions on all of your devices and computers. And of course, this is all in addition to the steps that everyone should be paying attention to.
Changing your passwords on vulnerable websites and mobile apps. The website Digital Trends is maintaining a list of mobile apps and websites that might have been affected. You can find these lists at www.digitaltrends.com. From the website's home page, search for Heartbleed, and you'll find a series of useful articles. As an I.T. administrator or business owner, you should be communicating with your users about these issues. But your concerns are greater than just your own passwords.
If you offer secured services over the web, you should immediately check all your systems for these vulnerabilities, fix them as quickly as possible and communicate with your customers and other stakeholders about what you're doing to deal with the Heartbleed bug.