Tuesday, April 15, 2014

Heartbleed - the most dangerous bug you will see this year - and the emails coming out from companies are almost criminal.

This "heartbleed" issue really shows how ignorant a world we live it at so many levels. It also shows how much we trust. After explaining the issue to my tech team, one of the things I told my tech team was to think about where this issue is in the whole stack and what that means. If you understand that, then you can respond to all the FUD and mis-information that is out there.

Simply put, the problem is/was with the OpenSSL library. The OpenSSL library basically sits between the Kernel and the Server (remember, server is SOFTWARE, not HARDWARE). When there is the overflow request, it dumps memory as the output. As you are not hitting a server, the server is not logging the request. This means that your web server, your ftp server, or your ssh server is not seeing it. Since it is not seeing it, it isn't logging it. The kernel is seeing it, but it doesn't log what it sees (under 99.999% of the scenarios) at this level, so it doesn't log it. Get details at many locations. Once such location is http://en.wikipedia.org/wiki/Heartbleed#Claims_of_possible_knowledge_and_exploitation_prior_to_disclosure; another such location is http://heartbleed.com/

So, what kind of FUD and dis-information is out there... let's see:

  1. Change your password. While it is good to regularly change your password, to have distinct passwords for each service, and all that; this is NOT the first line of defense that people should be taking. This is the equivalent of putting your stack of $20 bills in the front seat of your 1967 mustang convertible, making sure the windows are up and the doors are locked and then walking away. Did you make sure the top was up? NO. Therefore, bad person reaches over the window and takes your $1,240 and laughs and laughs and laughs. The first thing you should do is make sure that the server has been patched and is no longer vulnerable. Once this has occurred, then change your password, make sure that each service has a distinct password, uses multiple forms of authentication, and whatever else will ensure that you can sleep at night knowing that your facebook, twitter, or email account is safe and secure.
  2. Currently, we have no indication that any of customers’ information was compromised. Of course they don't. Nice marketing; doesn't mean squat and in fact is mis-leading almost to the point of criminal.

No comments: