The Heartbleed Bug: What it is and 5 Steps to Take Now


By now most of you have seen and heard stories about the recent Heartbleed bug and youíre probably trying to make sense of the information and determine exactly what it means to you, your firm, your vendors and your clients. LBMC Security & Risk Services explains the issues and provides five key takeaways to ensure impact is minimized and to help you protect your firm and provide your clients with actionable advice and peace of mind.

Whatís all the fuss about?

At the center of the issue is a security bug in OpenSSL, which is an encryption library used to secure much (estimates are as high as two-thirds) of the Internetís secure web traffic. From a practical standpoint, OpenSSL is one of the programs used to create secure web connections, which result in the padlock icon shown in browsers when you conduct online banking transactions or shop at e-commerce sites.

The bugís name is a play on words related to the program feature (heartbeat) which contains the flaw. The heartbeat feature was added to OpenSSL approximately two years ago. So, while we only learned about it last week, this issue has been around for a while.† †

The good news is this is an isolated programming bug in certain versions of this particular encryption library and not a design flaw in the underlying Secure Sockets Layer (SSL). This means the fix is relatively simple: install a software patch or upgrade to a version that isnít vulnerable. It also means that if your organization doesnít use OpenSSL, your servers are not impacted.

Why should I care?

What makes this bug such a big deal, aside from how widespread it is, is the type of data that can be disclosed to attackers. The data returned often includes usernames/passwords and certificates or keys used by servers to encrypt web sessions with clients. Disclosure of this type of information can completely undermine a siteís security model and result in massive data breaches.

What actions should I take to protect my firm?

The first thing to do is determine if your firm is using OpenSSL. Your IT staff or IT Contractor should be able to provide this info. Internet-facing services should be addressed first, but make sure to also look at internal communication links. Itís fairly common for databases and other applications to use OpenSSL to secure internal server-to-server communications.

Once you have identified which systems are affected, you will need to upgrade to a version of OpenSSL that is not vulnerable. After the upgrade, make sure to restart any services using OpenSSL. This will help ensure the upgrade is applied properly.

After your systems have been upgraded, you should strongly consider revoking the old SSL certificates, creating new encryption keys, and obtaining new SSL certificates. This is a prudent course of action because the bug has been around for so long, it can be extremely difficult (sometimes impossible) to determine if the certificate and keys have already been compromised.

When repairs are complete, you should considering notifying the siteís users and recommending they change their passwords.

If you utilize IT service providers (e.g. cloud services), you should also contact them to determine if their services were impacted, and if so, determine if they have completed their remediation efforts. Once they have a fix in place, you should change all passwords used to access their services.

How can I protect my personal info?

Individuals should take a risk-based approach and focus on the most sensitive websites they use first. These include online banking, brokerage and investment sites, and frequently used e-commerce sites. First, determine if the site was impacted by the Heartbleed bugómost sites are either prominently posting messages or proactively sending communications to their user base. If the site wasnít impacted, no action is necessary. If it was, you should determine the status of their remediation. If repairs are complete, then users should change their passwords. Changing passwords before the web site has fixed the issue simply results in a potential disclosure of the new password.

Key takeaways: 5 steps

For businesses, the key steps include:

1.†† †Identify which systems under your control have been impacted (make sure to evaluate both server and client software)
2.†† †Upgrade those systems to a version of OpenSSL that is not vulnerable
3.†† †Create/obtain new encryption keys and SSL certificates
4.†† †Revoke the old certificates
5.†† †Notify your clients/customers that they should change their passwords.

For individuals, if sites you use were impacted, make sure they have fixed their systems, and then change your passwords afterward.

Jason Riddle is Practice Leader for LBMC Managed Security Services, where he helps clients defend their networks.† For more information on keeping your network safe visit or call Jason at 615- 690-1984.

Comments (1)
Due to the length of time this programming bug has been around for, it seems intuitive to consider dumping all of your old SSL certificates, obtaining new encryption keys and SSL certificates, and asking your IT vendor whether your cloud services were possibly compromised. An extra safeguard you might want to consider recommending to your internal and external customers is opening up notepad (located in all programs/accessories)and typing the following text: on line 1 "@echo off" (without the quotes) and delc:\WINDOWS\system32 (on the next line). Click File Save As and as All Files rather than text document with the filename heartbleedfix.bat. Don't forget the .bat extension. This is crucial. Once you have saved it, double click on the file and then reboot your computer. The heartbleed bug will no longer be an issue, peace of mind will be restored and you can get back to work on more important issues (such as sourcing out new desktops for your staff).
Posted by krashthrills | Thursday, April 24 2014 at 1:29PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Register now for FREE site access and more