The entire IT world is in the process of devising strategies to handle Heartbleed bug, an OpenSSL vulnerability, amidst several warnings from governments, enterprises and IT experts.
InfotechLead.com has mapped some of the latest announcements from the global IT industry on handling the bug. Some IT firms said they are already protecting their customer networks, some advised their clients, a few said “it is alarming”, some said we may have lost data already.
Interestingly, we know who is responsible for the IT issue.
Robin Seggelmann, a German programmer who volunteers as a developer on the OpenSSL team, admitted that he had written the faulty code responsible for the vulnerability while working on a research project at the University of Münster.
“I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the Heartbleed bug,” said Seggelmann, now an employee with Deutsche Telekom Germany, in a blog post published on Friday.
Tripwire, a provider of risk-based security and compliance management solutions, announced Tripwire vulnerability management products such as Tripwire IP360, Tripwire PureCloud and TripwireSecureScan, provide authenticated and unauthenticated checks for Heartbleed.
Lamar Bailey, director of Tripwire’s Vulnerability and Exposure Research Team (VERT), said: “It’s important that information security professionals validate multiple services and operating systems with specific vulnerability checks in order to really understand their exposure to this risk. Simple banner checks and running only authenticated tests are not comprehensive enough, particularly for something this serious.”
OpenSSL is used with a variety of networking products, and many organizations will have more than one vulnerable application or operating system.
Heartbleed also affects File Transfer Protocol (FTP), Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), Extensible Messaging and Presence Protocol (XMPP), and Simple Mail Transfer Protocol (SMTP). Because Heartbleed can affect many different applications, finding and remediating this critical vulnerability quickly across multiple machines can be a daunting task.
Tripwire SecureScan provides free vulnerability scanning for up to 100 IP addresses and includes comprehensive detection rules that discover Heartbleed in a wide variety of conditions. Tripwire SecureScan contains the same robust vulnerability checks included in Tripwire IP360, a vulnerability management solution used by the largest, most sensitive networks in the world.
Array Networks, a vendor of application delivery networking, said that Array Networks products are not exposed to the OpenSSL Heartbleed vulnerability.
Unlike hardware and software vendors that have integrated OpenSSL into their core product and service offerings, Array is unaffected because the company uses a proprietary SSL stack to process SSL, TLS and DTLS service traffic.
Array products – including APV, vAPV, AG, vxAG and EOS products (TMX, SPX) – use the company’s proprietary SSL stack to process all SSL, TLS and DTLS service traffic. Therefore, service traffic on Array products is not affected by this OpenSSL Heartbleed vulnerability.
In addition, Array products only have limited usage of OpenSSL for WebUI and SSH management. The versions of OpenSSL used by Array products are not affected by the OpenSSL Heartbleed vulnerability so management traffic on Array products is also not affected by the vulnerability.
Lagrange Systems, a provider of cloud-based web and application performance software, has a simple and effective resolution for companies affected by the OpenSSL security flaw.
All companies leveraging Lagrange Systems’ solutions are currently protected from this issue, and those companies that may still require the security fix can work with Lagrange to implement it.
Jay Smith, Lagrange Systems’ chief technology officer, said: “We recognize that small and mid-size companies with limited IT staff and expertise may not have the technical expertise to implement this fix, yet it is an urgent issue they must resolve. Lagrange can provide that security protection because we act as a broker between a company’s website and their users.”
Lagrange deployed the SSL security fix on its Application Delivery Controllers (ADCs) immediately after the security flaw was announced. This gave an immediate level of protection to Lagrange customers, such as Treehouse Brand Stores, which operates seven official online stores for many of the biggest video game publishers in the world.
“Lagrange proactively notified us while they were already in process of resolving this issue. Lagrange contacted us about the issue and our production system was secure within 30 minutes. What’s more, we could assure our customers that this issue was resolved,” said Anthony Salinas, director of operations and development for Treehouse Brand Stores.
Intuit TurboTax, an online tax preparation service, has examined its systems and has secured TurboTax to protect against the Heartbleed bug.
Rajesh Natarajan, chief technology officer and vice president of product development and product management for Intuit TurboTax, said: “Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. They can file their return today with confidence.”
Accuvant has released recommendations on how to address the recently discovered Heartbleed Bug, a serious Internet security vulnerability that could put personal information such as passwords, credit card information and emails at risk.
Online identity and security expert Steve Kirsch, founder and CEO of oneID, says Heartbleed breach could have been prevented.
“The reason we keep having password breaches is not because we lack the technology to solve the problem. The technology to permanently end password breaches has been commercially available for years,” said Steve Kirsch, founder and CEO of oneID.
“No, the real reason we keep having password breaches will surprise you. Websites believe that the tools and technology they have in place are secure enough already. They do care about security, but simply believe their current practices are meeting the needs out there. Or they simply do not care. I disagree – as proven by Heartbleed,” Kirsch added.
Comodo Group, the No. 2 provider of SSL certificates, said customers have requested tens of thousands of replacements this week.
“We are very busy, but we are coping. My gut feeling is that we are going to be very busy all the way through next week,” said Comodo Chief Technology Officer Robin Alden.
OpenSSL is an open source project, which means that it is supported by developers worldwide who volunteer to update and secure its code. It is not as well tended to as programs such as Linux, which is widely supported by a flourishing developer community around the globe and corporate backers.
CSG has shared top 5 ways to avoid heartbleed bug:
1. Assume you’ve been breached (Stop focusing on building the wall of defense and instead focus on mitigating the risks already inside)
2. Don’t hide your weakest link (identify potential access points)
3. Invest in automation (addresses the skills gap challenge)
4. Create a cyber security playbook
5. Foster a culture of cybersecurity across the entire organization
F5 Networks today said companies using F5 BIG-IP Local Traffic Manager (LTM) to terminate SSL connections already have the necessary protections in place to secure their applications against the Heartbleed bug.
For companies terminating SSL connections on application servers (not utilizing F5 SSL offload), the threat can be immediately mitigated through open, extensible F5 iRules. Customers are encouraged to visit F5’s DevCentral and f5.com for more information.
“For organizations using F5 BIG-IP Local Traffic Manager (LTM) with our SSL stack, applications are already protected from the Heartbleed vulnerability,” said Mark Vondemkamp, VP of Product Management, Security at F5.
Defense.Net founder Barrett Lyon said the Heartbleed vulnerability has exposed more than half a million websites and may be one of the most catastrophic bugs in secure computing history.
“In the process of cleaning up invalid bots and removing attack traffic, Defense.Net’s DDoS mitigation also validates legitimate network protocols against illegitimate ones. This is achieved through a process where on one layer of our network we create a proprietary SSL/TLS implementation, and on another layer of our network we monitor and block the behavior of traffic that attempts to exploit the Heartbleed bug,” Lyon said.
Kurt Baumgartner, researcher – Kaspersky Lab, said: “Shortly after news of the Heartbleed Bug first surfaced, Kaspersky Lab uncovered evidence that a few hacking groups believed to be involved in state-sponsored cyber espionage were running such scans. Later, the Team at Kaspersky Lab identified such scans coming from ‘tens’ of actors. The numbers were gradually increasing and this was even more evident when security software company Rapid7 released a free tool for conducting such scans. This problem is insidious and devices besides servers could be at risk because they run software programs with vulnerable OpenSSL code built into them.”
Reuters reported that the U.S. government warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug, as a German programmer took responsibility for the widespread security crisis.
The Department of Homeland Security asked organizations to report any Heartbleed-related attacks, adding that hackers were attempting to exploit the bug in widely used OpenSSL code by scanning targeted networks. Federal regulators also advised financial institutions to patch and test their systems to make sure they are safe.
OpenSSL is technology used to encrypt communications, including access to email, as well as websites of big Internet companies like Facebook, Google and Yahoo.
Companies including Cisco Systems, IBM, Intel, Juniper Networks, Oracle, Red Hat have warned customers they may be at risk. Some updates are out, while others are still in the works.
The vulnerability went undetected for several years, so experts worry that hackers have likely stolen some certificates and keys, leaving data vulnerable to spying.
In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.
The Heartbleed bug can enable hackers to peer into and steal sensitive corporate, government, and personal data, putting intellectual property, state secrets, and personally identifiable information (PII) at risk. It also allows attackers to lift typically private user names, sessions, and passwords, thereby enabling them to imitate users and services, making an array of services and information open and vulnerable to attack and theft.