Story image

Heartbleed Bug: What have we learned so far...?

15 Apr 14

It has been now five days since details emerged regarding the “Heartbleed” vulnerability in OpenSSL.

During this time we have been researching the impact of the vulnerability, tracking the patch states of popular websites, and monitoring attacks.

So what have we learned?

Most popular sites are no longer vulnerable...

We have been tracking the most popular websites to see which of them are currently vulnerable to Heartbleed. No website included in Alexa’s top 1000 websites is currently vulnerable.

Within the Alexa top 5000 websites, only 24 websites are vulnerable.

Overall, within the Alexa top 50,000 websites only 1.8 percent is vulnerable to Heartbleed. Based on this data, chances are that the websites most frequently visited by the average user are not affected by Heartbleed.

It is possible that your data may have been stolen prior to a website being updated. To mitigate against this ensure that you do not reuse passwords across multiple sites.

Yes, you should change your passwords...

There has been some contradictory information regarding whether users should change their passwords. Based on our examination of the most popular websites above, it should now be safe to change the passwords for most of your online accounts.

If a website is still vulnerable, do not change your password for that site just yet.

The problem is serious, but a doomsday scenario is unlikely..

Heartbleed could be used by attackers to steal personal data such as usernames and passwords—and doing so is relatively easy.

However one of the biggest concerns is that the vulnerability could be used to steal the private keys which are used to encrypt communications with websites.

By stealing these keys, attackers could eavesdrop on communications or set up fake websites which impersonate legitimate websites allowing them access to even more data.

Stealing these keys is very difficult. Some researchers have been successful in stealing keys using Heartbleed, but each case required specific circumstances to be met; in particular, keys are more likely to be exposed only at the moment after the web server is started.

Heartbleed is not being widely used by attackers...

Our monitoring has shown that while there is widespread scanning for vulnerable websites, most of this scanning seems to be originating from researchers.

We have witnessed relatively few mass scans for the Heartbleed vulnerability originating from attackers. Attackers could be targeting specific sites but, fortunately, the most popular sites are no longer affected.

IPS will help block attacks...

Symantec IPS signature 27517, Attack: OpenSSL Heartbleed CVE-2014-0160 3, has been released and will detect and block attempts to exploit Heartbleed on vulnerable servers.

Advice remains the same...

For businesses:

* Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.

* Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.

* Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in compromised server memory.

For consumers:

* Be aware that your data could have been seen by a third party if you used a vulnerable service provider.

* Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.

* Avoid potential phishing emails from attackers asking you to update your password. To avoid being tricked into going to an impersonated website, stick with the official site domain.

For the latest information on Heartbleed, including how to minimize your risk, please visit the Symantec Heartbleed outbreak page by clicking here

This post was originally published on the Symantec Security Blog

Opinion: Critical data centre operations is just like F1
Schneider's David Gentry believes critical data centre operations share many parallels to a formula 1 race car team.
MulteFire announces industrial IoT network specification
The specification aims to deliver robust wireless network capabilities for Industrial IoT and enterprises.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Schneider Electric's bets for the 2019 data centre industry
From IT and telco merging to the renaissance of liquid cooling, here are the company's top predictions for the year ahead.
China to usurp Europe in becoming AI research world leader
A new study has found China is outpacing Europe and the US in terms of AI research output and growth.
Google says ‘circular economy’ needed for data centres
Google's Sustainability Officer believes major changes are critical in data centres to emulate the cyclical life of nature.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.