The failures of Heartbleed.
Without question, Heartbleed is one of the most catastrophic events from an internet security standpoint arguably ever. It had IT and security teams frantic to fix the vulnerability and the media frenzied. While the fact that it was so quickly addressed and brought to light was impressive, what was astonishing was the huge amount of websites that were affected by Heartbleed regenerated their certificates with the same private key. While the mobilisation of the internet to address the issue so early on was notable, it was equally frustrating to see the total failure in the efforts to fix the problem properly as this instance illustrates.
Heartbleed is a vulnerability in OpenSSL that permits attackers to access random blocks of memory from servers running OpenSSL. OpenSSL is used to establish encrypted communication channels between different places. and therefore the servers running this software hold some significant secrets -explicitly the encryption keys for our communication: a big deal. The process we use for setting up this encryption uses a key-pair - a private key and a public key. These two keys are bound and you cannot replace one without also modifying the other. Then money is paid, fancy algorithms are applied and an SSL Certificate is obtained that is used to affirm identities when establishing a secure connection.
We fell short
The fact that so many websites neglected to take the appropriate actions to mitigate the Heartbleed vulnerability puts the spotlight on the industry's failures: the majority of those who responded did so in a way that indicated that it didn't succeed to sufficiently educate the public as to what the actual issue was. The prospective impact of the Heartbleed bug was that a private key used during the initial SSL/TLS interaction could be compromised. The advice provided to rectify the issue was to replace your server's certificate. This is exactly what many people did, but they still used the same private key. This only results in them being just as exposed as before making that effort. Lack of education is clearly the failing point here. It is the responsibility of those of us who have a deep technical understanding to fully explain the impact of major issues, such as this one, with explicitly concise and clear instructions in order to assist those who are new to the game. The security industry failed to do so as proven by the unfortunate people who wasted their time by replacing their certificates but not generating a new private key.
In this case, replacing the certificate without generating a new private key makes the effort completely wasted. It is not an issue of testing as the people - who have done this just failed to understand why they were doing it, and those who instructed them to do it assumed that they were being clear enough. Those who understood the vulnerability were successful in convincing the world of its impact and the need to address it, but unfortunately those who understood completely failed at explaining what steps needed to be taken. There was an education gap between the two that needs to be addressed.
To make it absolutely clear, here is the cheat sheet for what needs to be done for OpenSSL
1. Generate a new private key (2048 bits) openssl genrsades3 -out privkey.pem 2048
2. Create a certificate signing request openssl req -new -key privkey.pem out certcsr
Furthermore, there is also an argument that in this situation some scrutiny on the certificate authorities' parts should also be given. If a customer is resubmitting for a new certificate due to compromise, but using the same private key, the request should have been rejected.
The good news
Heartbleed has been an incredible event from different angles; the extent of the exposure, but also the swiftness and range of the response. Large segments of the internet organised to react in such a small amount of time which is mostly unparalleled. It could be a fluke, or maybe it's the sheer quantity of headlines that have been seen regarding breaches over the past several months, but people heard about this issue and then they actually reacted. This is amazing; even if it's taken people a few hours or even days, they rushed to attend to the problem in an impressive way. This was definitely an accomplishment on behalf of those who were publicising the problem and for those accountable for the vulnerable hosts out there on the internet.
There has been major progress. An issue was discovered, the industry reacted and the world took action. What needs to be injected into the process for the future is some more education to close the gap. Our industry is fantastic at indicating where things go wrong and where there are existing vulnerabilities, but one area that needs definite improvement is the education and sharing of that knowledge in an easily palatable way. It's a trait of a lot of security professionals to "blind with science", meaning they like to get down to the nitty gritty technical details and simply don't realise that the one thing that is glaringly obvious to them, as experts, is not always the case for the general public or less skilled IT personnel.
It's also key to remember that the smaller sized businesses are the ones who may be most susceptible as well as organisations that simply don't have the specialist resources or even the budget to decrypt all of the answers. Security is a problem that everyone faces and therefore it is the security industry's duty to arm the public with the essential basic knowledge to combat threats like Heartbleed when they hit, especially considering the catastrophic nature of this vulnerability. If history can teach us anything, it's that there's absolutely no doubt this won't be the last major security flaw, so let's all be determined to keep these principles in mind. Ultimately, it will make our jobs a lot easier in the long term.
Those who understood the vulnerability were successful in convincing the world of its impact and the need to address it.
Response by Russ Spitler, VP of Product Strategy at Alien Vault.
|Printer friendly Cite/link Email Feedback|
|Date:||Jul 1, 2014|
|Previous Article:||Launch of world's first global private cloud network.|
|Next Article:||New web-based coding platform.|