HeartBleed - further lessons
HeartBleed - further lessons
7 April 2014 was the day the digital world stood still as news broke of what was billed as one of the most devastating cyber hacks ever. Well, we're all still here to tell the tale so was it a close shave or merely an over-hyped issue? Who knows what would have happened had the ‘good guys' not found the defect first. Anything at all? Maybe they didn't. It is the uncertainty that can be so damaging.
The details of what the Heartbleed bug was and the danger it posed to our confidential data held by Facebook, Google, Yahoo! and others like them are well documented. The point is that the online world went into major panic mode, terrified of the hacking community's sudden ability to manipulate ‘that' OpenSSL defect.
Usually, the biggest problem that results from security issues like this is the inevitable mass panic that follows, together with the all-too-often shambolic response from some in our industry.
Whilst the good is that the IT security community displayed genuine ambition to fix the issue, sharing knowledge and insights in to the possible impact of the defect and offering solutions on how to mitigate the risk, but the ‘bad' and the ‘ugly' attained the spotlight, too. In truth, there was an awful lot of terrible advice, none more so than the guidance to ‘reset all passwords'. Unfortunately, it was this gem of advice that the mainstream media picked up on and to which the masses took heed. And why wouldn't they? It was a clear headline grabber that was simple to understand and easy to action.
One thing about Heartbleed that is worth mentioning is that the bleedin' hacker never knows quite what data they are going to steal. It's easy to automate a Heartbleed attack, but what the hacker receives as a result are random bits of the webserver's memory, which need sifting through before the gold nuggets of secret keys and passwords are found. In order to increase their chances of passwords being part of this harvest, what a hacker really wants is lots of traffic relating to passwords coming to their targeted site. So, when a mass instruction to consumers to change all passwords was issued, all the hackers' Christmases came at once.
The truth is that if you did use a site vulnerable to Heartbleed, the best course was just to stay away for a bit and wait for advice from the site itself.
A key challenge for the industry is how to coordinate a consistent and unified reaction to scares like Heartbleed. This isn't a challenge I pretend to know the answer to. When details of the OpenSSL flaw were released, inevitably a race ensued between the bad guys seeking to exploit the defect and the good guys trying to close the loophole and prevent data theft. Immediately tools were released to enable users to test whether a site was vulnerable or not and instructions were circulated on how to detect an attack. What these and many other responses did show was a genuine ambition amongst the IT security community to fix the issue and share knowledge and insights into the possible impact of the defect and how to mitigate it. At the same time, however, they also handed the hackers a suite of tools to identify vulnerable sites to attack.
So, what lessons can the industry learn from Heartbleed?
Take your lead from the cub scouts – be prepared.
How well did you understand the description of the bug? How well do you understand the potential impact of your webserver primary memory key being compromised? In all honesty, it doesn't matter whether you do or you don't. What does matter is that someone in your company understands and can inform and influence the leadership of your organisation so that the best possible decisions can be made.
If your website data is valuable, don't rely on static passwords to secure it.
Static usernames and passwords have demonstrated their vulnerability time and time again; they are no longer fit for purpose. The sheer volume of passwords that today's web user now needs to remember means that everyone is guilty of reusing the same password now and then. Password reuse, especially across corporate and personal applications, means that when hackers use Heartbleed (or another tactic) to steal your login details from consumer sites, they automatically have everything they need to waltz into your corporate network undetected and rifle through your corporate data.
A cool head, an assessment of the risk and a considered action plan are what IT security professionals need. Let's be honest, IT will never be risk free. Heartbleed was a narrow escape but what is most important is how we learn from the experience and adjust our behaviour as a result.
Contributed By Chris Russell, CTO, Swivel Secure