Heartbleed — A VAR's Preparedness Kit
By Megan Williams, contributing writer
You’ve undoubtedly seen stock images of injured and bleeding hearts flying across news channels. You may have even changed your Yahoo! and Gmail passwords. Your personal data is safe, but what does the bug mean for your clients?
What It Is
The Heartbleed bug (which hit on April 7, 2014) exploited a big flaw in Open SSL (used by at least two-thirds of Internet sites), leaving not only passwords and information vulnerable, but also allowing future ne’er-do-wells to imitate the way trusted service providers identify themselves — it basically hands the sheep’s clothing over to the wolf. A week later, information on what exactly goes on when the bug is exploited is everywhere. Gizmodo gives a good rundown here, but Randall Monroe over at XKCD breaks it down the simplest way possible.
Governments And Vendors Affected
Comics aside, where’s the danger?
Canada’s Revenue Agency site, Revenue Canada, has already been shut down due to Heartbleed (it hit right in the middle of tax season but service was restored on April 13.) A spokesperson for Canada’s Department of Shared Services states that the bug “is affecting virtually all IT systems around the world.” Australian businesses are feeling the pain too, while U.S. governments are busy testing and preparing for future threats. According to Jonathan Trull, chief information security officer for the Colorado Governor's Office of Information Technology.
“This is probably the most serious potential threat to confidential data I've seen since learning of the Conficker worm back in November of 2008. Public agencies are scrambling to test their sites, and if they determine they are vulnerable, they are working to immediately put in place compensating controls and ultimately fix the problem.”
It’s definitely not just a government issue though, with 10 prominent business software vendors reacting to the crypto bug. Microsoft has rested easy, because Windows IIS, along with most Microsoft Services, came out unscathed. IBM was still analyzing its products as of April 11 to determine vulnerability. Oracle’s April advisory for its patch bundle doesn’t mention Heartbleed, but there have been murmurings in their online community. SAP remains quiet, while VMware has identified 27 products potentially exposed to Heartbleed attacks. Symantec was still investigating its products as of April 9, and HP reports no issues. CA is quiet on the issue, and Citrix has reported problems with XenApp.
Your Next Steps
Thankfully, patches are already available. Unfortunately, a simple installation doesn’t mean complete protection, and mass password resets (for everyone) are necessary. Ignoring the problem is not an option. If any of your systems are running unpatched OpenSSL 1.01 or 1.02beta, it will be a walk in the hacker park for anyone to exploit the bug — so even if your customers object, insist that they change all vulnerable passwords. The threat that they may have already been compromised is real.
It might also be useful to pass around this test website, which not only provides a simple way of checking vulnerability, but also connects users with a host of resources around the security flaw. On the bright side, some Linux operating system companies are already delivering Open SSL patches to their clients. Fixed Linux operating systems include: CentOS, Debian, Fedora, Red Hat, openSUSE, and Ubuntu (SLES was not affected.)
Dodi Glenn, senior director of Security Intelligence and Research Labs at ThreatTrack Security, offers more detailed advices to VARs on older versions and additional upgrade resources. “Administrators can upgrade their version of OpenSSL by visiting https://www.openssl.org/source. If the server is running an older version of OpenSSL such as 0.9.8, they do not need to upgrade, as this bug was not found in this version. Additional information regarding the vulnerability (CVE-2014-0160) can be found here: https://www.openssl.org/news/secadv_20140407.txt.”
Don’t rest too easy though — Heartbleed is going to be with us for a while. According to Jeff Forristal, the CTO of Bluebox Security, “OpenSSL is extremely pervasive on all manners of devices, systems, and servers; it is going to take the ecosystem significant time to get everything updated, and we will be looking at a long tail situation that could easily extend into years.”
The punchline to all this for VARs and solution’s providers is that the media has created, at minimum, a talking point around security and, potentially, opportunities for your consultative services. Smart VARs will be reaching out to their customers (and competitor’s customers) with messages that indicate you are the trusted advisor to help them understand and mitigate any security flaws they might have.