– Liejun Wang, Senior Researcher, Core Technology Division for NSFOCUS, says:
Shot through the heart was a great title for a rock song in an era when the Internet was in its commercial infancy. Today, however, it can be used to describe the painful Internet vulnerability now known as Heartbleed bug. The effects of the bug were felt across the globe, as the Internet required emergency surgery.
By now, the news of the Heartbleed bug in OpenSSL has permeated mainstream media forcing users worldwide to change user names and passwords on favorite websites.
The bigger question for Internet data centers (IDC), Cloud hosting facilities and Internet service providers (ISP), is how they can better prepare and equip themselves to fend off the consequences of these vulnerabilities, while protecting their brand names, assets and service reputations, as well as those of their customers.
Heartbleed and Why You Should Care
Heartbleed is described as a security bug in the open-source, OpenSSL cryptography library, commonly used to implement the Internet’s Transport Layer Security (TLS) protocol. It allows anyone on the Internet to access the memory of the systems that are protected by the vulnerable versions of the OpenSSL software.
It was an open door with a very clear path to access highly desirable data. Hackers could exploit OpenSSL TLS Heartbeat Extension protocols in a variety of OpenSSL versions, to access server and user information. Customer passwords, licenses and cookies were compromised as a result. In fact, malicious actors were able to eavesdrop on communications using acquired secret keys, thereby stealing data from service providers by impersonating either the service providers or users.
Even more alarming, this OpenSSL vulnerability has existed for more than two years, leaving many people concerned about the extent of the damage. Additionally, when used, no trace is left behind, leaving businesses and customers unable to accurately measure or trace the effects of the attack. This is the kind of vulnerability that keeps security experts up at night.
The OpenSSL TLS Heartbeat Extension protocol implements blind trust from the length of the payload in the communicating field. Meaning, from the beginning of the data stream (your network server or computer) to the end point, the data did not have the correct bound checks. This protocol may allow disclosure of data up to 64K memory to any connected network client or server. As such, sensitive information contained in that data memory can also be exposed.
Seven Tips to Stay Ahead of Heartbleed
Best practices indicate that affected websites, especially shopping and payment websites that host highly sensitive information in user accounts, IDCs, Cloud hosting facilities and ISPs should implement additional risk controls and take this opportunity to educate users on best practices to manage this vulnerability.
Here are seven tips that can be implemented to protect your brand and educate your customers:
- Take appropriate measures: Implement additional risk controls; including rigorous checks on the IP login address, stricter capital monitoring and tighter oversight to flag abnormal operations.
- Inform and protect: Stay in touch with your customers. Once any abnormality is detected, affected websites should immediately alert customers so that appropriate passwords can be updated. Provide them with detailed information on Internet security before and after attacks occur.
- Utilize secure channels: Notifications should be sent via secure channels such as the user’s registered email address. In the event that modifications of the registered email are detected, notice should be sent to the previous email address.
- Become the security expert: Educate your customers about vulnerabilities and provide them with best practices such as advising them to avoid logging into accounts on affected websites until they are sure the Heartbleed vulnerability has been patched.
- Confirm vulnerability: The instinctive response of many users will be to immediately modify their passwords, but they should be notified not to take this step until it can first be confirmed that the website has already patched the vulnerability.
- Be diligent: Because attackers can steal financial data stored in the server memory, advise users to change passwords for particularly sensitive accounts, such as online banking and personal email accounts and pay close attention to financial statements to track any discrepancies.
- Test for safety: Users and providers can visit http://filippo.io/Heartbleed/ to check if a website is still exposed to this vulnerability. Besides, users can also install the associated browser plug-ins. For Firefox browser, you can install the FoxBleed plug-ins, while Chromebleed plug-ins can be installed in Chrome browser. These plug-ins can provide alert/warning information when you visit the websites,which still exist Heartbleed vulnerability.
Turning Lemons into Lemonade
Competition is fierce and protecting business brands is of paramount importance to any organization, large or small. Data centers and hosting providers are no different, however, they are tasked not only with protecting their own brand reputation, but also customer assets as well.
When an attack brings down an IDC or ISP, it can cripple hundreds, even thousands of businesses, generating untold loss in revenue and destroying customer loyalty and a company’s reputation in one fell swoop.
Today, there are solutions that can be integrated into existing service offerings. ISPs, IDCs and hosting providers now have the ability to provide network security solutions as part of their service offerings, such as implementing “Scrubbing Centers” to help them mitigate against events such as Heartbleed and DDoS attacks.
By implementing new strategies to improve the customer experience and expand market reach, hosting providers are better able to protect tangible and intangible assets, and perhaps generate additional revenue streams at the same time.
Liejun Wang, Senior Researcher, Core Technology Division for NSFOCUS has over 14 years of experience in the network security field, Wang is dedicated and specialized in vulnerability analysis, intrusion prevention and detection, and vulnerability assessment related to core network security, attack analysis and defense technology. Wang provides ongoing and continuous security consulting and support for the Intrusion Prevention System (IPS) and remote security assessment products at NSFOCUS.