Heartbleed – Where We Are Now

Heartbleed-Patch-Needed

Heartbleed set off an internet firestorm when it was revealed last week that the vulnerability – which can leak not only passwords but other sensitive data, has been in the wild since 2011. Since then, new revelations have come out including a list of security firms that knew about the exploit well before many others. At a government level, the response rates have varied ranging from the Canadian Revenue Service which halted online tax payments and recently arrested a teenage hacker who is alleged to have used the exploit, to our own IRS which said go ahead and file anyway. A week later and not much dust has settled on this story.

“This has really set us back about twenty years in terms of internet security and being able to trust websites with sensitive information,” says Kevin Bocek, Vice President, Security Strategy & Threat Intelligence, Venafi in an interview with CivSource. “Roughly about half of the internet is vulnerable and will have to replace their certificates. That’s a process that we can expect to take several months if not a few years, so in the meantime users will have to tread with caution.”

Venafi provides a variety of computer security related services and has its own Heartbleed Remediation Solution available for current and potential clients working through their own vulnerability to the exploit. Yesterday Ars Technica noted that there is also vulnerability for users and organizations that use OpenVPN too.

Bocek notes that the OpenSSL code that was vulnerable has been fixed, but users and hardware vendors will have to work through identifying what they have and what is vulnerable. That process is likely to take the most time, especially for governments that have legacy systems and have purchased newer add-ons or partially new systems. Individual users and tech shops will also have to re-learn security processes as simply using https is no longer enough to work around hacks like Heartbleed.

ReadWriteWeb suggests forward secrecy as one option. This may be particularly pertinent for government users despite claims about the CPU drag on performance. (That is if government IT departments learned anything about performance and scale from the health insurance exchange fiasco.)

New testing tools have also emerged for users who want to check the vulnerability of a site before they visit it. Pacemaker is one of these tools, and is backed by the Choke Point Project. Pacemaker scans the Alexa Top 1 million websites and attempts to connect to their port 443. If this succeeds, Pacemaker tries to inject the HeartBleed vulnerability in order to retrieve data from the servers’ memory. An initial scan was performed on April 11th, where approximately 30,000 vulnerable websites were uncovered. Since then, Chokepoint Project has been re-scanning those URLs to see whether they have been patched, and that number now sits around 17,000.

Late last week Kentucky passed a new data protection law that is designed to deal with more straightforward data breeches like the recent accidental posting of the social security numbers of students who won a state backed scholarship award. Although the language of the bill doesn’t deal with more complex exploits like Heartbleed, it does set up a response time framework which other states could look to as an example. Debate on the bill included an acknowledgement that the possibility for these attacks isn’t tied to the typical 8-5p workday and response plans should be in place for when people are out of the office. While that sounds like common sense, it also represents a big leap in terms of how public sector approaches informational security.

“Much of 2014 is going to be defined by how governments respond to issues like this. Encryption is more important than ever before, but so are processes,” Bocek adds.