Heartbleed, Y2K and misplaced worry.
Over the past week news about the Heartbleed OpenSSL vulnerability draws some similarities and also some dissimilarities to the Y2K bug; remember that? In early 1999, there were stories of people building our survival bunkers in the basements of their homes in order to prepare for the potential fallout from the Y2K bug. As you may recall IT companies scrambled, airlines were fraught with angst , and governments paid very large sums of money to ensure the sky wouldn’t fall down on us. As we know now New Year’s Day 2000 came and went with nary a hitch, although companies were left to pay some hefty Y2K consultant bills (it was reported at the time that AT&T paid over $500 million USD) and many families across the globe were left with fully stocked basements, a surplus of books on modern Armageddon, candles and canned soup.
Fast forward 15 years later and a new bug; Heartbleed was discovered in the popular OpenSSL cryptographic software library. This vulnerability, which may affect up to two-thirds of the internet, allows an attacker to withdraw a server’s most vital secrets including passwords and private SSL certificate keys. Although this bug surely won’t cause nuclear missiles to launch, companies and families need to be more concerned about this bug rather than the one that caused people to build bunkers in their backyards. The Heartbleed bug appears to have been around for two years and was only discovered by two teams of researchers little more than a week ago. However, much like the argument over who discovered “America”, it appears this vulnerability has been discovered and exploited in the past by black hat Leif Ericksons; modern day digital Vikings bent on pillaging data.
A recent blog by internet services company NetCraft, said the SSL tsunami has yet to arrive. Discouragingly, by the morning of Friday the 11th of April 2014, only 30,000 of the possible pool of 500,000 affected SSL certificates have yet to be replaced. This is akin to Y2K being a reality and IT professionals refusing to patch ’00 date bugs on servers in favor of sealing the hatch on their secure bunker. By now every hacker knows about this vulnerability; it’s a race against time and you should take action now to ensure that you take the steps required to take the required action to fix your site.
This is real and every hour that goes by, unpatched servers become more and more exposed to attack. The first step is to get out of our blissful bunkers of ignorance and check our domains to see if the servers are vulnerable. Symantec’s Domain Checker should be your first port of call – it allows you to check your site for Heartbleed. If you are not affected by Heartbleed be certain to tell your customers – they really need to know and believe you me they will be grateful that you have told them. However if you have been affected, start by reading our Knowledgebase article on the subject and take the following steps:.
- Upgrade your servers to OpenSSL 1.0.1g or recompile without the Heartbeat extension.
- Change your password to your Symantec SSL console (if applicable). Note that Symantec Managed PKI for SSL was not affected and you do not need a new Administrator ID.
- Replace your SSL certificates on your impacted servers; replacement SSL certificates are offered at no charge for existing Symantec SSL customers. Keep your details the same to avoid having to go through authentication again.
- Test your configuration and installation. Note it is a best practice to always install the intermediate certificate with your end-entity certificate.
- Upon successful completion revoke any certificates that were replaced in step 3.
- Consider resetting customer’s passwords on any server that could have been compromised.
One final piece of advice, you may have to do this on your intranet sites as well. Don’t trust your firewall to keep out hackers, they find their way behind firewalls every day by either infecting the menu at your favorite take-out place or by changing the rules. If you want more up to date information on Heartbleed or any other threats follow us on Twitter, Facebook and bookmark our corporate Heartbleed update page.