By Greg Jensen on Apr 14, 2014
Unless you have been sleeping under a rock the last few weeks, one of the biggest items of news in security has been around a vulnerability that has been around since December 2011. The vulnerability CVE-2014-0160, is more widely known as the Heartbleed Bug and is only now making its reputation known after researchers discovered the widespread impact of this vulnerability on data privacy.
The vulnerability is in an older version of the OpenSSL encryption routines used for secure web sessions. For example, when you go to your favorite banking or web email site, and after logging in, you see a padlock in the lower right corner. This “closed” padlock symbolizes that SSL (Secure Socket Layers) has initiated and secured a connection between your browser and the service you are connecting with to ensure nobody can intercept or monitor your communications. This is critical when filing taxes online, or sending private emails on Yahoo, or using cloud based file sharing services over a browser connection.
Without diving into the full details of the way the exploit works, in the simplest terms, this vulnerability allows a remote attacker to simply make a network connection to any remote system, and pull small chunks of data that is left in memory from the SSL session. While this does not mean that an attacker can pick and choose files from your system, it does mean that the kinds of information commonly found in memory are passwords, session IDs, encryption private keys and more. All of this of course is very sensitive information.
The biggest challenge here is that many consumers and corporate users recycle passwords and user names. User names are often their email address, and passwords often are re-used again and again, across all of their web services and web properties they access. So the challenge here is if an attacker is so lucky to collect one password for the online flower website they just purchased flowers on, chances are, that attacker will attempt to use that same user ID and password against mainstream email, financial, retail and services portals associated with that same user.
The impact of the Heartbleed bug is global. It is as far reaching as any bug, as it affects hundreds of millions of online user accounts. Many researchers are advising to give a few more days until you attempt to change all of your online passwords. Why not sooner? Changing passwords when your systems and the services you connect to are still at risk of being vulnerable, is a wasted effort. By the end of this week, most of the online service providers you use will have all of their systems patched, most browsers will be updated and patched, and most smartphones and tablets will be secured. At that point, it will be highly recommended to change passwords. The best course of advice, check with your service provider such as your online banking website, or whatever your online service provider is, for when they give the "all clear" to reset passwords.
So what are the lessons here? Regardless if you are a member of a major corporation, a non-profit, or you are heading up a family of 3, it is the same advice. As a consumer or corporate user, you must practice implementing a new mindset around a password policy for yourself. Passwords and User IDs must be unique for each service and account you access. Passwords must not be personally tied to you in the sense that you should not have family names, or dates that are tied to you or family members. Rotating and refreshing these every 30 to 90 days is critical. This is called compartmentalizing the risk. The practice is used here so that if a password is compromised, only that one service is at risk, such as your online flower website. What is safe is, your personal banking, your company’s VPN password, your secure email passwords and more, all because you have maintained them separate.
In the corporate world, this can be greatly simplified through the use of Single Sign-On technologies that dozens of unique account credentials that would be hard to remember, and place them under one strong user ID and password that the employee can focus on remembering. For consumers, there are best practices around consumer oriented tools that can accomplish the same goal to help pull passwords together, but buyer be warned. For every one “reputable” product here worthy of storing your most sensitive information, there are 10 others that you should stay away from, as some even are malicious in nature designed to steal information – so be careful.
There are numerous online resources to help you research if your website is vulnerable, as well as many more security research articles that detail additional for administrators looking to remediate their websites.
For more information on how Oracle can help address your organizations needs around account provisioning, Single Sign-on and more, visit us at www.oracle.com/identity