By now, you’ve likely heard that a serious vulnerability has been reported in the commonly-deployed OpenSSL cryptographic library. The bug puts widespread SSL/TLS encryption at risk of failing to properly protect encrypted data, potentially exposing usernames and passwords and other content transferred over the encrypted link.
This is a serious matter, being addressed as an emergency by IT professionals around the world. A few questions you may be asking yourself include:
- As a provider of IT services, is the security of any of those services at risk due to the bug?
- As a consumer of IT services (or from your customers’ perspective), is any information at risk due to the bug?
- What can and should I do in either of these cases?
From the IT service provider standpoint, the answer is (unfortunately) probably a yes – more than 2/3 of all internet-facing websites run on a platform that includes the OpenSSL library, and then there are all the internal-facing web services. Suffice it to say that this is a serious matter, and is worth every organization investigating further.
Organizations should read the material available at heartbleed.com to understand the problem in greater depth. After confirming the state of OpenSSL usage within the organization, and checking to see if the version used in each case is affected by the bug, “[r]ecovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys.”
From a pragmatic standpoint, Info-Tech advises focusing on externally-facing services (e.g., web servers, mail servers, SSL VPN services, etc.) first, as those are potentially at risk from an external attack. Once these have been remediated, focus can turn to the inside of the organization, where risks may crop up from web management consoles of a myriad of devices including network components, printers, and more.
From the IT consumer standpoint, the answer is again an unfortunate yes. Many commonly-used social media sites and consumer-focused applications (such as e-banking) were subject to the vulnerability, and there’s no way to determine whether or not the vulnerability was exploited. As such, once the services have been fixed, it is necessary for consumers of each service to change passwords in order to ensure that any data that might have been exposed is no longer accessible to an attacker.
Info-Tech advises individuals to take a look at The Heartbleed Hit List: The Passwords You Need to Change Right Now to determine the status of their favorite sites, and Info-Tech further advises organizations that have been affected to inform their customers and users that a change of password is warranted – again, after the vulnerability has been patched and potentially compromised SSL/TLS certificates have been replaced.
Finally, individuals should consider their password management practices more generally. If, for example, someone used the same password for Tumblr (one of many at-risk sites that have since remediated the vulnerability) as they use for online banking or internal network access, it is possible that an attacker has already sniffed out that password. As such, Info-Tech recommends changing any passwords that were the same as any affected services, as well as recommending a better general practice of avoiding re-use of passwords that grant access into sensitive applications or systems.