Heartbleed – One Week In

Heartbleed just got real

The bug has been dominating headlines for the past week – and rightfully so. The scale of the impact of this issue is major. OpenSSL has been integrated into a significant number of development projects. It’s probably the most commonly used security library out there.

Late Friday night (the 11th of April 2014), the CloudFlare challenge was successfully beaten by both Fedor Indutny and Ilkka Mattila.

Results of the CloudFlare Challenge: http://t.co/nDX9QG2U5F Based on the findings, we recommend everyone reissue + revoke their private keys— Cloudflare (@Cloudflare) April 12, 2014

The challenge was simple. CloudFlare stood up a server that was vulnerable to Heartbleed. They then asked the community to retrieve the private key for the SSL certificate for the site by exploiting the bug. Within the day, not one, but two people had successfully accomplished the task.

Megan Guess has more information over at Ars Technica, but you need to know that this provides hard evidence that Heartbleed poses a real, substantial risk. Up to this point, we—the information security community—knew that it was possible to retrieve the key from memory, but it was difficult to convince others without evidence.

Now we have it.

I’m a user; what can I do?

As a user, you need to ask yourself one simple question when visiting a web site or accessing an online application, “Is this site still vulnerable to heartbleed?”

If the answer is no, change your password immediately. Remember to use a unique password for each account you have. If you have a large number of online accounts, you might want to look into a password manager.

That will make it much easier to have unique passwords for every service you use.

If the site hasn’t fixed heartbleed yet or hasn’t said anything about the bug, don’t change your password just yet. If you change you password while the site is still vulnerable to a heartbleed attack, your new password could be exposed.

Wait until the site fixes the issue before changing your password.

I run a web site; what’s my next move?

If you run a web site, you want to start talking to your users right away. Let them know you’re aware of heartbleed and are looking into the issue as quickly as possible.

Next, check to see if your site is using an affected version of OpenSSL (version 1.0.1 through 1.0.1f). If it is, take the following steps to fix the issue:

• Apply any heartbleed rules (CVE–2014–0160) to your intrustion prevention system
• Update your OpenSSL library to version 1.0.1g or higher
• Revoke your current SSL certificate
• Issue a new certificate using a new private key

If you site isn’t affected by heartbleed, make sure to tell your users. This issue is everywhere, and most people have heard of it. Letting your users know that your site was unaffected and their data is safe is a good step that reassures users.

I’m a Trend Micro customer; how can you help?

If you’re a Trend Micro customer, the best place to get started is with our support site. You can visit:

• Support for home products
• Support for business products & services

Either of these links will get you the latest information on how Heartbleed affects Trend Micro products, mitigation steps, and tips on how to use these products to protect your users from this bug.

Additional perspectives

We’ve also posted advice and additional information on our blogs:

• “ OpenSSL Heartbleed, Are You Vulnerable? ” by Trend Micro
• “ Open(SSL) season for targeted attackers ” by Rik Ferguson , Vice President, Security Research
• “ Don’t have heartburn over the Heartbleed Vulnerability ” by Christoper Budd , Threat Marketing Manager
• “ Heartbleed Bug—Mobile Apps are Affected Too ” by Veo Zhang , Mobile Threat Analyst
• “ Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M ” by Maxim Goncharov , Senior Threat Researcher

What’s next?

Stay tuned to the Trend Micro blogs and Twitter feed for all of the latest information on the heartbleed bug.