A Q&A with Chris Novak of Verizon RISK Team
The Heartbleed bug recently hit the headlines with the Canada Revenue Service breach, in which hundreds of social insurance numbers were stolen. Yet despite the media buzz, the long-term ramifications of this vulnerability are not fully understood yet, says Chris Novak, global managing principal of Investigative Response at Verizon RISK Team. I asked him to explain how Heartbleed works and why everyone should be aware of this insidious vulnerability.
What is the Heartbleed/OpenSSL exploit, exactly?
OpenSSL is a cryptographic library and a fundamental method of securing web traffic. When you visit your bank’s website you will see a little padlock symbol that signifies that your data is “safe,” which means that OpenSSL is being used. OpenSSL has a function called the “heartbeat” communication, which is used to keep a connection between two systems open and alive, to avoid the overhead of having to reestablish the connection over time. However, it appears that malicious data can be crafted into the “heartbeat” itself, which will prompt a signal on the other end. Researchers have shown that it can get the system server to respond with user names, passwords, encryption keys—basically any kind of sensitive information.
When people think of SSL or OpenSSL they think of web traffic but it’s also used in VPN connections and internet infrastructure such as routers and switches. In some sense, these things are more vulnerable because they can be more difficult to patch and the very possibility that they could get breached might also slip under the radar.
I think we will be seeing a second wave with a massive amount of breaches down the road.
How concerned should we be about Heartbleed?
There are people in two different camps. Some say it’s not that big of a deal—that there have only been a few confirmed instances where this type of vulnerability has been exploited. Others are saying that this could be the end of the internet as we know it. Those people contend that this kind of bug will eventually cause people to lose confidence in banking, brokerages, and other financial institutions.
The response has been strong. Within moments of the Canadian Revenue Agency breach, patches were released and made available so people could update their systems and change their passwords. That being said, even though most entities have undertaken some review of their environment with respect to Heartbleed, we also know that in a few months no one will be thinking about this anymore and the bad guys will find other vulnerabilities in systems or equipment that was either not previously identified or has been newly implemented. So I think we will be seeing a second wave with a massive amount of breaches down the road. And as with any Zero Day malware, people are often unaware of what’s happening until later. For instance, someone could hack a financial company’s router and redirect their web traffic and then direct it back without any users knowing that they’re interacting with anything other than their bank.
How, specifically, would a bad guy engage this exploit to access private info on an organization’s computer server?
The perpetrator would attempt to connect with the XYZ.com website and make a connection as they would with any site. They’d run a scan of the site to understand if they could use the SSL vulnerability—this is easy to find in the data stream. They’d then send the malicious heartbeat packet, which would contain instructions to pull information out of the server’s memory, and the server would execute that command. If they were able to get the administrator’s user name and password this way, they could remotely connect to the server and get all of the data directly—potentially, an entire copy of the database in the most catastrophic scenario.
What can organizations do to detect and remedy this issue?
There are free scanners out there that will help you determine how vulnerable your system is. A more time intensive approach would be to inventory anything—all system or equipment, including routers, switches and phones—that might use SSL, then scan all of the above. Any product you can get support for will likely have a patch. However, if you’re using old infrastructure that’s no longer supported by the vendor and has no patches, then you need to replace that device or equipment or put in another mitigating security measure, such as swapping out anything that’s internet facing with more secure equipment. I would add that for the consumer the best advice, once you’ve been given notice that any site you use has been patched or fixed, is to change any passwords you use. And you should also be proactive about reaching out to the websites you visit and asking them what they’re doing about this issue because you are the one who bears the risk of continuing to do business with them if they haven’t addressed it.
Mr. Novak provides a good summary of an exploit that’s gotten serious media attention, but actual data breach claims are unknown (or unreported) so far, so only time will tell. It has been reported that this bug has possibly impacted popular sites like Gmail and Yahoo and thus could have covertly exposed some sensitive data like passwords over the past year or so unbeknownst to users. We should also note that OpenSSL is in fact based on open-source (free) code and not used universally—and many of our clients do NOT run open source programs so they have not been affected by Heartbleed. Finally, Mr. Novak’s point that memories are short and the industry will be worried about a new zero-day exploit in a month from now is an apt one: As such, daily vigilance should be a constant.