Story image

Heartbleed Bug: What have we learned so far...?

15 Apr 2014

It has been now five days since details emerged regarding the “Heartbleed” vulnerability in OpenSSL.

During this time we have been researching the impact of the vulnerability, tracking the patch states of popular websites, and monitoring attacks.

So what have we learned?

Most popular sites are no longer vulnerable...

We have been tracking the most popular websites to see which of them are currently vulnerable to Heartbleed. No website included in Alexa’s top 1000 websites is currently vulnerable.

Within the Alexa top 5000 websites, only 24 websites are vulnerable.

Overall, within the Alexa top 50,000 websites only 1.8 percent is vulnerable to Heartbleed. Based on this data, chances are that the websites most frequently visited by the average user are not affected by Heartbleed.

It is possible that your data may have been stolen prior to a website being updated. To mitigate against this ensure that you do not reuse passwords across multiple sites.

Yes, you should change your passwords...

There has been some contradictory information regarding whether users should change their passwords. Based on our examination of the most popular websites above, it should now be safe to change the passwords for most of your online accounts.

If a website is still vulnerable, do not change your password for that site just yet.

The problem is serious, but a doomsday scenario is unlikely..

Heartbleed could be used by attackers to steal personal data such as usernames and passwords—and doing so is relatively easy.

However one of the biggest concerns is that the vulnerability could be used to steal the private keys which are used to encrypt communications with websites.

By stealing these keys, attackers could eavesdrop on communications or set up fake websites which impersonate legitimate websites allowing them access to even more data.

Stealing these keys is very difficult. Some researchers have been successful in stealing keys using Heartbleed, but each case required specific circumstances to be met; in particular, keys are more likely to be exposed only at the moment after the web server is started.

Heartbleed is not being widely used by attackers...

Our monitoring has shown that while there is widespread scanning for vulnerable websites, most of this scanning seems to be originating from researchers.

We have witnessed relatively few mass scans for the Heartbleed vulnerability originating from attackers. Attackers could be targeting specific sites but, fortunately, the most popular sites are no longer affected.

IPS will help block attacks...

Symantec IPS signature 27517, Attack: OpenSSL Heartbleed CVE-2014-0160 3, has been released and will detect and block attempts to exploit Heartbleed on vulnerable servers.

Advice remains the same...

For businesses:

* Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.

* Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.

* Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in compromised server memory.

For consumers:

* Be aware that your data could have been seen by a third party if you used a vulnerable service provider.

* Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.

* Avoid potential phishing emails from attackers asking you to update your password. To avoid being tricked into going to an impersonated website, stick with the official site domain.

For the latest information on Heartbleed, including how to minimize your risk, please visit the Symantec Heartbleed outbreak page by clicking here

This post was originally published on the Symantec Security Blog

Opinion: How SD-WAN changes the game for 5G networks
5G/SD-WAN mobile edge computing and network slicing will enable and drive innovative NFV services, according to Kelly Ahuja, CEO, Versa Networks
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
HPE launches 'right mix' hybrid cloud assessment tool
HPE has launched an ‘industry-first assessment software’ to help businesses work out the right mix of hybrid cloud for their needs.
ADLINK and Charles announce multi-access pole-mounted edge AI solution
The new solution is a compact low profile pole or wall mountable unit based on an integration of ADLINK’s latest AI Edge Server MECS-7210 and Charles’ SC102 Micro Edge Enclosure. 
How Dell EMC and NVIDIA aim to simplify the AI data centre
Businesses are realising they need AI at scale, and so enterprise IT teams are increasingly inserting themselves into their company’s AI agenda.