Fixing Heartbleed in All the Right Places

The OpenSSL vulnerability responsible for April’s Heartbleed bug has been patched — version 1.01g fixes the problem permanently. But for IT professionals, patching OpenSSL is just the beginning: Heartbleed hides in the most unlikely places.

First Steps to Stop the Bleeding

Clearing out Heartbleed starts with patching every version of OpenSSL a company uses. The problem is that this encryption technology is used by a host of internal and third-party web-facing processes. According to Forbes, enterprises need to make sure every website they operate has been properly patched; it’s worth checking with your web host to ensure that they’ve patched things on their end as well.

What’s more, you need to make sure any partner sites are similarly clean. If not, information securely entered internally can become compromised when it leaves corporate networks and ends up in the memory buffer of a Heartbleed-vulnerable website.

Refresh Your Keys and Certificates

Although patching OpenSSL means there won’t be any new information leaks, it doesn’t prevent malicious actors from causing trouble with data they’ve already obtained. As ReadWrite points out, it’s critical to generate new public–private encryption keys for every system on the network and to revoke old SSL certificates and generate new ones to verify the identity of other servers.

This prevents “certificate spoofing,” in which hackers use stolen SSL or private encryption-key data to set up dummy sites that appear legitimate but are in fact copycat versions intended to steal user information. Google recommends that its Compute Engine customers generate new keys, and certificate authorities like Symantec and GoDaddy are offering updated certificates for free.

CSO Online, meanwhile, reports that many security companies are also offering Heartbleed scanner tools for free, helping IT professionals track down this bug in hard-to-reach places. Newer versions are designed to scan Intranet websites, VPNs, FTP servers, databases, email servers, printers and smartphones. It’s worthwhile using more than one tool, however, since some released just after the bug was discovered were shown to report inaccurate results.

Heartbleed’s Impact on Mobile

In addition to websites and servers, it’s also possible for mobile devices to carry the Heartbleed bug. According to a recent Business Insider article, millions of Android users are potentially affected; any user running Jelly Bean 4.1.1 is a candidate for Heartbleed.

Google doesn’t release data for specific sub-version adoption, but over 34 percent of users worldwide are still running Jelly Bean 4.1, and security experts warn that “millions” of devices rely on 4.1.1.

This may seem like a distant threat for IT professionals, since this version of Jelly Bean rolled out in 2012. But for any organization that does business with individual subcontractors or has offices overseas, the mobile vulnerability represents a very real problem. The good news? This is the perfect opportunity to draft solid companywide mobile-use standards; there should be no problem getting C-suite approval to protect networks from leftover Heartbleeds.

A New SSL?

According to Theo de Raadt, founder of OpenBSD, OpenSSL isn’t worth fixing. As a result, his team has forked the code to create LibreSSL, which should deal with what de Raadt calls OpenSSL’s “discarded leftovers.” In an email to Ars Technica, he said that his group “removed half of the OpenSSL source tree in a week.” Even with such extensive pruning, the fork still compiles with no problems. Currently, LibreSSL is designed to run only as part of OpenBSD, although the group is taking donations and hopes to release a standalone version in the future.

Heartbleed has been bandaged; it hasn’t been eradicated. IT professionals need to patch every website, make sure mobile devices are secure and consider the possibility that OpenSSL may have outlived its usefulness.

[image: Adrian Vamanu/Hemera/ThinkStockPhotos]