Remediating the OpenSSL Heartbleed

Heartbleed Bug

You’ve no doubt by now heard about the massive scale OpenSSL vulnerability that was discovered to have left a large majority of the web servers on the internet open to compromise. The net of the attack is that once an SSL session has been established between the client and web server, there is a heartbeat mechanism that functions as a keep-alive to the client. By sending an empty 64KB data request back to the server, vulnerable servers are tricked into returning the contents of their memory buffers back to the client. These buffers can contain passwords, among other data. This is the “heartbleed” of the hearbeat mechanism. Best of all, apparently there is little trace left behind once this attack has completed successfully, although there are logged attempts of the attack.

It remains to be seen how widespread this is or what exactly was compromised, although there is proof of Yahoo passwords revealed in the wild. There is a server-side fix now for this which results in requiring new stronger certificate generation and many sites have begun implementing. What we do know is which sites use OpenSSL and when new certificates are issued. If a given website is still vulnerable to Heartbleed, there is no point in changing your password until they implement the fix server-side. If you’re busy changing passwords on sites that have not yet patched this bug and generated new certs, those new passwords will still be vulnerable until the fix is in place; I.e. waste of time.

If you don’t use LastPass yet (you should be) this is a very good time to start. One password tied to private keys you hold, not LastPass, enabling the use of 100% complex and random passwords for every site you log into. It’s a fantastic solution that I use on every device I own. If you’re one of those who still use a single common password on every site you log into, there is a very good chance that it has been compromised somewhere, possibly a long time ago. One of the many things to love about LastPass is that they provide a security challenge tool that tests the strength and frequency of your passwords. Now part of that tool also includes a Heartbleed site checker that watches the websites in your vault, when those sites patch against the bug and when you should change your password after the fix. Important to note: you will need to run this tool again every day for awhile until you are completely in the clear. This brings a great deal of sanity to this otherwise chaotic and widespread problem.



Ars Technica

LastPass Blog

LastPass Security Challenge Tool

No comments:

Powered by Blogger.