The US Government has confirmed that, as feared, cyber-crime attacks have been launched that exploit the recently revealed Heartbleed security flaw, which affects hundreds of thousands of websites and other systems worldwide.
The ICS-CERT agency, part of the US Department of Homeland Security (DHS), issued a warning about Heartbleed on 10 April stating: “ICS-CERT is aware of several instances of targeted active exploitation of this vulnerability.”
It added: “ICS-CERT continues to monitor the situation closely. Entities are encouraged to report any and all incidents regarding this vulnerability to DHS.”
‘Heartbleed' has triggered a seismic reaction among security professionals and users, after researchers from Google and Finland's Codenomicon revealed on 7 April that web servers and other kit using the OpenSSL encryption system versions 1.0.1 to 1.0.1f have been vulnerable to the bug for the last two years.
An estimated 500,000 to 600,000 sites are affected – original estimates put it in the millions. Heartbleed allows attackers to hijack “crown jewel” encryption keys and steal any encoded data that has passed through the affected site and device, including user passwords, bank details and confidential company documents.
The latest OpenSSL 1.0.1g fixes the bug but, in the interim, security professionals are being warned of cyber-crime attacks and password-stealing phishing emails exploiting people's fears about Heartbleed.
Security firm Easy Solutions has confirmed the ICS CERT's report of cyber attacks, revealing that hackers have targeted over 10,000 web domains affected by the bug.
In a 10 April blog post, Easy Solutions CTO Daniel Ingevaldson said: “Hackers are posting huge lists of 10,000-plus domains that have been run through the automated web-based Heartbleed vulnerability checking tools. This list described if the web sites are vulnerable, patched, or if SSL was not present.”
Ingevaldson added: “Chances are that if you run an SSL-protected system, it has been assessed or will be assessed by one of these tools. These scans might lead to automated attacks that harvest login credentials en masse.”
Phishing attacks on the rise, password advice causes confusion
Heartbleed phishing emails have also started. On April 10 Rob VandenBrink, a senior consulting engineer at Metafore, warned in a blog for the US cyber security education body SANS: “I started getting emails yesterday asking me to change passwords on services I do not have accounts on - complete with helpful links - back-ended by malware and/or credential harvesting of course.”
Meanwhile, in a bid to calm fears – and contrary to some earlier advice - security experts say users should not immediately change their passwords because of Heartbleed.
Mick Paddington, security adviser at Trend Micro, told SCMagazineUK.com: “The advice is don't change your password until you're asked to by a genuine site, so for instance if you do get an email from Barclays and it's genuine. Some of these sites are doing remedial action to plug this vulnerability. As soon as that's done they'll either inform you on their website or through the media channels that their sites are now safe and it's safe to change your passwords.”
Security expert Brian Krebs added in a 10 April blog post: “It is a good idea for internet users to consider changing passwords, at least at sites that they visited since this bug became public (7 April). But it's important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords.”
As for security professionals, Paddington told us: “They should be looking at their own websites and seeing if they are at risk from this vulnerability and if so taking the remedial action out there to address it.”
Peter Allwood, senior manager at Deloitte, advised: “Organisations who are concerned they may have been impacted should be following an established vulnerability management process to apply security patches to affected systems. Extra focus should be given when assessing the implications of the Heartbleed bug, beyond applying the regular patches. Organisations may also need to revoke compromised certificates and create new encryption keys and certificates. They should also be giving users advice about their response to the bug and any steps users should take to remain secure.”
Some websites have been set up where CISOs and end users can check whether the websites they run or use are vulnerable. Two such sites are:
A comprehensive list of vendors and their patches and updates is provided by the Carnegie Mellon CERT team. CISOs are also being reminded that Heartbleed affects more than websites. Avivah Litan, a vice president with Gartner Research, said in a 9 April blog: “This bug affects routers, switches, operating systems and other applications that support the protocol in order to authenticate senders and receivers and to encrypt their communications. Forget having to plant back doors in encryption libraries, as the NSA allegedly did. The backdoors are already built in.”
Confirming this, for example, Cisco said in a 10 April security advisory that Heartbleed has affected Cisco products including IP phones, a video communication server, Ethernet access switch and versions 2.x of the WebEx Meetings Server.
In a 10 April blog post, TrendLabs mobile threats analyst Veo Zhang reported that mobile apps are also vulnerable. TrendLabs scanned around 390,000 apps from Google Play, and found around 1,300 apps connected to vulnerable servers. Among them were 15 bank-related apps, 39 online payment-related, and 10 online shopping related.
“We also found several popular apps that many users would use on a daily basis, like instant messaging apps, health care apps, keyboard input apps – and most concerning, even mobile payment apps. These apps use sensitive personal and financial information – data mines just ripe for the cybercriminal's picking,” Zhang said.
Google product manager Matthew O'Connor said in a 9 April blog that it had applied Heartbleed patches to Google Search, Gmail, YouTube, Wallet, Play, Apps and App Engine. Google Chrome and Chrome OS were not affected. “We are still working to patch some other Google services,” O'Connor said.
Brian Krebs added: “It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-web server stuff affected by this bug will be business-oriented devices (and not consumer-grade products such as routers, for example).”