Security

09:04 AM
Tim Sapio, Bishop Fox
Tim Sapio, Bishop Fox
News
Connect Directly
RSS
E-Mail
50%
50%

Heartbleed: Examining The Impact

There's little hope of knowing if an asset was breached, if a breach can be identified, or if any data was leaked. Here's how to defend against future attacks.

Yesterday saw the beginning of the most significant breaches in Internet security to date. I'm talking, of course, about the vulnerability that was discovered in OpenSSL (CVE-2014-0160), commonly known as Heartbleed.

This was not a breach like the ones we've grown accustomed to hearing about in recent months, such as Target, Drupal, or the California DMV, wherein customers' personal data or login credentials were leaked. Instead, this breach strikes at the heart of encrypted transfers to the servers we all use in our day-to-day lives.

The Heartbleed vulnerability exists in all default versions of OpenSSL going back to March 2012. Among the products that use OpenSSL are Apache, IIS, Nginx, Cisco AnyConnect, your home router -- it's harder to come up with a list of Web products that don't use OpenSSL than a list of those that do.

What exactly does this vulnerability do, and why is it so bad? Basically, Heartbleed allows an attacker to abuse a normal function of SSL, known as the heartbeat. The vulnerability permits an attacker to read bits of memory on an affected server to which he or she should not have access. Since the bug occurs at such a low level, merely connecting to a vulnerable system and sending it a specially formed request is enough to trigger the vulnerability. No authentication with the server is required. In practice, this means that attackers can connect to a vulnerable server, keep the connection alive, and wait for something interesting to come to their way. 

Read the rest of this article on Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
4/28/2014 | 9:03:59 PM
re: Heartbleed: Examining The Impact
I've got a password on my phone, but I never thought about it making it difficult for someone to contact me if I lost it. Anyway, way to be a good Samaritan.
Becca L
50%
50%
Becca L,
User Rank: Author
4/28/2014 | 6:04:59 PM
re: Heartbleed: Examining The Impact
Thanks for sharing. Tech like this relies on the honesty of the finder, but you're right that these tagging tools can be life savers for both parties. I recently found an iphone with a password protection, it took me a long time to figure out how to contact the owner. Same experience with a wallet a month later (one of the credit card companies ended up patching me through to her cell phone - what an ordeal). Even honest people can get discouraged!
Kelly22
50%
50%
Kelly22,
User Rank: Author
4/15/2014 | 4:12:25 PM
re: Heartbleed: Examining The Impact
That's pretty cool, provided the finder is honest enough to return the item. I'd give this a try for my phone and wallet, though.
BobH088
50%
50%
BobH088,
User Rank: Apprentice
4/14/2014 | 4:00:52 PM
re: Heartbleed: Examining The Impact
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
Kelly22
50%
50%
Kelly22,
User Rank: Author
4/14/2014 | 2:47:32 PM
re: Heartbleed: Examining The Impact
Thanks, Ulf. I think you're right in saying that we can pretty much expect security breaches from future software. With the damage from Heartbleed already done, we can only plan for attackers' increasingly complex breaches. Protecting the data itself is a wise strategy.
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Apprentice
4/11/2014 | 9:37:47 PM
re: Heartbleed: Examining The Impact
All kinds of organizations have scrambled to fix the bug, but as the vulnerable technology has been in place on up to two-thirds of all websites for approximately two years, the damage may already be done. However, itG«÷s important to note that not all organizationsG«÷ websites or software were affected.

So what can we do to try to prevent this in the future?

First, while this could have wide reaching effects, some of which we may not know for a long time, not all SSL/TLS communications can be compromised.

But waiting for better software or protocols isnG«÷t really an option. While new software will inevitably come along, there are limited guarantees, especially in the case of open-source technology such as OpenSSL, that it will be bug-free. In fact, we should expect that they will be breached.

The most viable option is proactive security of the data itself. By tokenizing or encrypting sensitive data at the point of creation or acquisition, it can be made useless to potential thieves, even in memory.

ThereG«÷s no perfect answer to fix years of exposure, but moving forward, adopting the most proven, vendor-backed data security solutions that protect the data itself can offer significantly reduced risk over protocols alone.

Ulf Mattsson, CTO Protegrity
Register for Insurance & Technology Newsletters
White Papers
Current Issue
Insurance & Technology Digital Issue Oct. 27, 2014
Innovation? Check. Core modernization? Check. Security? Check. Today's insurance IT challenges don't stump this year's Elite 8.
Slideshows
Video