"Heartbleed" bug compromises secure websites

[id : 445] [18/04/2014] [hits : 67691]

A recently disclosed bug in software frequently used by web- and other servers compromises the security of those servers, including the data that is stored on them. Server administrators are urged to verify if their servers are affected, and if so update the software on those servers.

Technical introduction

A critical vulnerability in OpenSSL (CVE-2014-0160: OpenSSL Private Key Disclosure Vulnerability) was recently disclosed, affecting servers running OpenSSL 1.0.1 through 1.0.1f. This vulnerability allows arbitrary memory readout, which effectively exposes primary key material and compromises the integrity of the secure channel.

The bug is known as the "Heartbleed" bug.

Full details on the bug are available on the CERT website (see the Links below).

What server administrators should do

Server administrators are urged to investigate if the servers they manage are affected, and if so, make sure to patch their server(s) to close the security hole.

When the servers are patched, they also should request and install new security certificates (and revoke the old ones!) and inform their users (clients) to change their password on the affected server(s).

Note that not necessarily only webservers are affected. Any server using OpenSSL for its secure communication may be impacted, such as mail servers and VPN servers that use OpenSSL.

What end users should do

At this time, things are unfortunately less clear where end-users are concerned.

Access to online services

Where access to online services is concerned, user can (should) change all their passwords, but affected servers won't be secure until the site administrators fix the hole. So end-users may want to wait until there is more clarity on whether their account on a server may be affected or not (though changing one's password on a regular basis is never a bad thing).

Large organizations will probably fix the problem sooner rather than later and probably issue a statement and inform their users. Sites not being affected will probably issue a statement to that regard as well.

Smaller sites may not be able to react as quickly as large sites to upgrade their systems, so end-users should keep an eye open on any announcements made by those sites.

End user systems

There are reports that malicious sites could retrieve sensitive information from client systems (browsers and others) that are not secure.

As a general practice, end-users should make sure their own computers are up-to-date with the latest operating system patches, and that the programs they use to access internet services should also be up-to-date (web browsers, mail programs,...).

The same goes for any other computer equipment such as smartphones and tablets.

Users with Windows are especially vulnerable for viruses and other malware, so they are highly advised to use an active and up-to-date antivirus program and preferably also an anti-malware program.

Heartbleed on VUB/ULB

When the Heartbleed bug was publicly announced, central VUB and ULB IT departments investigated whether any of their systems were impacted by this bug.

As it turns out, a number of servers were indeed affected, they have been upgraded with the newest versions of the software in the meantime and new security certificates were installed.

A risk analysis is currently being performed to determine whether confidential information was leaked into the public. The results of that analysis will be announced upon completion.

Even if there are no indications that any secure information was leaked, users wanting to be on the safe side can change their VUB/ULB password with the Personal Account Manager (PAM). If they use the same password elsewhere, it is best changed there as well. As a general practice, users are adviced to change their passwords once in a while.

Servers administrators at the university are also urged to investigate if any of their servers are affected by the Heartbleed bug, and if so, upgrade their software to a secure level and generate or request new security certificates.

The VUB and ULB network teams are also performing security checks on the network to locate any affected systems.

One final note

As with all mishaps, be on the lookout for phishing mails and sites that instruct you to log on onto a service because the Heartbleed bug "has been fixed and you should change your password". It's another opportunity for internet criminals to try obtain your personal information, and they don't need some bug to get that information if end-users are not alert for such attempts.

So check out a site's official website for any announcements concerning the Heartbleed bug!

Peter Van Rossem -

10 April 2014 - Peter Van Rossem
According to different sources, the following popular sites are affected by the Heartbleed bug: Google, Gmail, Youtube, Facebook, Yahoo, Dropbox, Tumblr.

Once these sites have been secured, you should change your password on those sites.

If you had to change a password on a site affected by the Heartbleed bug and you use the same password on a site that is not affected, do change your password on the non-affected site as well (for obvious reasons)!

: :: ::: ::::