king of the hill, koth, arlen, bobby hill, chocolate, heart, im your little candy manA serious security threat was revealed on Monday, sending waves of panic across the web. Called Heartbleed Bug, it affects the OpenSSL encryption program utilized by thousands of sites, including Yahoo, Tumblr, Google, Amazon, Instagram and many financial institutions. As developers rushed to patch the flaw, users were encouraged to change their passwords and keep on eye on finances.

It is thought that Heartbleed, which takes advantage of a nefarious flaw in OpenSSL, has been present for two years and does not leave any indication of its presence. This may have left a massive number of networks vulnerable to attack, with a staggering amount of sensitive data exposed.Homeland Security advisor Jeff Moss expressed deep concern about the Heartbleed issue, as the DefCon network is protected by an enterprise MacAfee firewall, which was left vulnerable by the flaw. He stated that even though it was clear that email and traffic on the network was vulnerable, his hands are tied until the vendor, Intel, releases a patch. Intel expressed its concern regarding the problem by way of a blog post, promising a fix as soon as possible.

An inventory conducted by Cisco Systems uncovered a dozen of its products that are vulnerable to Heartbleed, including the video conference server TelePresence. The company would not elaborate on how users of TelePresence might be affected and stated it would report new information soon. Microsoft said it was updating a few services, which it did not reveal. Oracle, Hewlett-Packard, Dell, EMC and IBM would not comment on the situation.

In his recent article entitled “Exposing the April Fool“, SIEM expert Tom Clare of Arctic Wolf said, “Improved data collection and forensic skills are exposing what many have known for years – we can invest in security tools and hardware, but its the people and processes that determine success or failure. Security is not a point in time with a report, audit or compliance rating. It is an emerging continuous security cycle for both private and government organizations.”While many popular web services have already patched the problem, the vulnerability continues to lurk in email servers, smartphones, webcams and anonymizing services such as OpenVPN and TOR. Bluebox Security CTO Jeff Forristal said that Android devices running Jelly Bean version 4.1.1 are susceptible to Heartbleed. Google had no comment for the finding, and it remains unclear whether other versions of Jelly Bean are affected. A number of other security experts have said that it would take an extraordinary effort to extract anything useful from an Android phone and users should not be worried.
The headaches from Heartbleed are set to continue as it makes everyday users vulnerable to phishing emails. Heartbleed affected sites have begun sending emails informing their users to change their emails, and so have hackers. The DMARC email security experts at Agari commented, “While many of the email notifications will be legitimate, criminals will use this opportunity to trick consumers into revealing passwords. They will do so by sending spoofed security-related emails purporting to come from popular brands and services. These spoofed emails will include password-reset links that take the recipients to fake sites that phish usernames, passwords and other sensitive information. This is a common pattern when a breach owhen a breach or vulnerability is revealed – criminals often attempt a one-two punch to get access to even more sensitive or valuable information from customers of the impacted company. This time, of course, the potential targets of such phishing attempts will be almost everyone on the Internet.”In the meantime, users can protect themselves by taking the following actions:
  • Avoid public Wi-Fi. The firewalls and routers used in public access points are unknown to the user and should not be used until the threat has passed.
  • Change passwords on patched sites. This is especially important for banking, email and social media where sensitive data is at risk.
  • Keep careful track of finances. Identity theft is not always obvious, so it is best practice to keep an eye on credit card and bank statements.
  • Update software. Determine what brand of router a business or home is using and check the vendor’s site for updates each day. This process can move slowly, so patience is important.
  • Switch off router remote access. This feature is not needed by most users, and turning it off greatly reduces the risk of hacking. If a router has been provided by an ISP, that company should be contacted to ensure any necessary updates are applied.

Since the full scope of the Heartbleed bug is still being determined, businesses and individuals should remain vigilant and use every means necessary to stay secure.