Security Cloud Courses About
imgs/hero.webp

Heartbleed – One Week In

(t) Trend Micro logoOriginally posted on the Trend Micro blog.

What you need to know about Heartbleed

Heartbleed just got real

The bug has been dominating headlines for the past week – and rightfully so. The scale of the impact of this issue is major. OpenSSL has been integrated into a significant number of development projects. It’s probably the most commonly used security library out there.

Late Friday night (the 11th of April 2014), the CloudFlare challenge was successfully beaten by both Fedor Indutny and Ilkka Mattila.

The challenge was simple. CloudFlare stood up a server that was vulnerable to Heartbleed. They then asked the community to retrieve the private key for the SSL certificate for the site by exploiting the bug. Within the day, not one, but two people had successfully accomplished the task.

Megan Guess has more information over at Ars Technica, but you need to know that this provides hard evidence that Heartbleed poses a real, substantial risk. Up to this point, we—the information security community—knew that it was possible to retrieve the key from memory, but it was difficult to convince others without evidence.

Now we have it.

What should I do?

We’ve pulled together this quick (4m 30s) screencast explaining heartbleed and what steps you should take to protect yourself and your users. More details and links are provided below. [vimeo http://vimeo.com/91914818]

I’m a user; what can I do?

As a user, you need to ask yourself one simple question when visiting a web site or accessing an online application, “Is this site still vulnerable to heartbleed?”

If the answer is no, change your password immediately. Remember to use a unique password for each account you have. If you have a large number of online accounts, you might want to look into a password manager.

That will make it much easier to have unique passwords for every service you use.

If the site hasn’t fixed heartbleed yet or hasn’t said anything about the bug, don’t change your password just yet. If you change you password while the site is still vulnerable to a heartbleed attack, your new password could be exposed.

Wait until the site fixes the issue before changing your password.

I run a web site; what’s my next move?

If you run a web site, you want to start talking to your users right away. Let them know you’re aware of heartbleed and are looking into the issue as quickly as possible.

Next, check to see if your site is using an affected version of OpenSSL (version 1.0.1 through 1.0.1f). If it is, take the following steps to fix the issue:

  • Apply any heartbleed rules (CVE–2014–0160) to your intrustion prevention system
  • Update your OpenSSL library to version 1.0.1g or higher
  • Revoke your current SSL certificate
  • Issue a new certificate using a new private key

If you site isn’t affected by heartbleed, make sure to tell your users. This issue is everywhere, and most people have heard of it. Letting your users know that your site was unaffected and their data is safe is a good step that reassures users.

I’m a Trend Micro customer; how can you help?

If you’re a Trend Micro customer, the best place to get started is with our support site. You can visit:

Either of these links will get you the latest information on how heartbleed affects Trend Micro products, mitigation steps, and tips on how to use these products to protect your users from this bug.

Additional perspectives

We’ve also posted advice and additional information on our blogs:

What’s next?

Stay tuned to the Trend Micro blogs and Twitter feed for all of the latest information on the heartbleed bug.