itb-nz logo
Story image

Heartbleed Bug: What have we learned so far...?

15 Apr 2014

It has been now five days since details emerged regarding the “Heartbleed” vulnerability in OpenSSL.

During this time we have been researching the impact of the vulnerability, tracking the patch states of popular websites, and monitoring attacks.

So what have we learned?

Most popular sites are no longer vulnerable...

We have been tracking the most popular websites to see which of them are currently vulnerable to Heartbleed. No website included in Alexa’s top 1000 websites is currently vulnerable.

Within the Alexa top 5000 websites, only 24 websites are vulnerable.

Overall, within the Alexa top 50,000 websites only 1.8 percent is vulnerable to Heartbleed. Based on this data, chances are that the websites most frequently visited by the average user are not affected by Heartbleed.

It is possible that your data may have been stolen prior to a website being updated. To mitigate against this ensure that you do not reuse passwords across multiple sites.

Yes, you should change your passwords...

There has been some contradictory information regarding whether users should change their passwords. Based on our examination of the most popular websites above, it should now be safe to change the passwords for most of your online accounts.

If a website is still vulnerable, do not change your password for that site just yet.

The problem is serious, but a doomsday scenario is unlikely..

Heartbleed could be used by attackers to steal personal data such as usernames and passwords—and doing so is relatively easy.

However one of the biggest concerns is that the vulnerability could be used to steal the private keys which are used to encrypt communications with websites.

By stealing these keys, attackers could eavesdrop on communications or set up fake websites which impersonate legitimate websites allowing them access to even more data.

Stealing these keys is very difficult. Some researchers have been successful in stealing keys using Heartbleed, but each case required specific circumstances to be met; in particular, keys are more likely to be exposed only at the moment after the web server is started.

Heartbleed is not being widely used by attackers...

Our monitoring has shown that while there is widespread scanning for vulnerable websites, most of this scanning seems to be originating from researchers.

We have witnessed relatively few mass scans for the Heartbleed vulnerability originating from attackers. Attackers could be targeting specific sites but, fortunately, the most popular sites are no longer affected.

IPS will help block attacks...

Symantec IPS signature 27517, Attack: OpenSSL Heartbleed CVE-2014-0160 3, has been released and will detect and block attempts to exploit Heartbleed on vulnerable servers.

Advice remains the same...

For businesses:

* Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.

* Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.

* Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in compromised server memory.

For consumers:

* Be aware that your data could have been seen by a third party if you used a vulnerable service provider.

* Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.

* Avoid potential phishing emails from attackers asking you to update your password. To avoid being tricked into going to an impersonated website, stick with the official site domain.

For the latest information on Heartbleed, including how to minimize your risk, please visit the Symantec Heartbleed outbreak page by clicking here

This post was originally published on the Symantec Security Blog

Story image
Netcracker launches digital portfolio aimed at CX, automation and more
Netcracker 2020 is built for the cloud and allows service providers to develop their own enhancements and functions through a low code platform.More
Story image
Backbase and Mambu partner to continue to evolve banking industry
“Mambu and Backbase are united in our goal to transform the banking industry. We enable banks to break free from legacy applications and successfully compete in a digital-first world."More
Story image
Ephesoft receives partner of the year honour from Alfresco
Alfresco Software as named Ephesoft has been named FY2020 Global Technology Partner of the Year due to the company’s achievements in digital innovation, future vision and customer alignment. More
Story image
Buying less, doing more: How the security operations centre model can help to control cybersecurity
‘Security solutions good, more security solutions better’ is the mentality behind high tech protection procurement, but it's not the best choice.More
Download image
Why shifting workforce demographics requires updated management
Globalisation; a younger workforce; remote working trends - the landscape of the modern workplace has changed forever. And businesses could be in for a shock if they don't manage it properly.More
Story image
Over half of IT pros prefer hybrid and multi-cloud architectures - report
Denodo surveyed executives from over 250 organisations on their attitudes toward cloud, the challenges it presents, and the way in which it has changed workflows within organisations.More