The Gist of Heartbleed

Posted on: April 10th, 2014 by Brett Weston No Comments

What is going on?!
———————————————————-

On April 7, 2014 a simple coding flaw was discovered in OpenSSL. OpenSSL is an encryption library used, predominantly by Linux and Unix-based systems, to secure data as it traverses the Internet (keeps your data from getting in the hands of others). The coding flaw (CVE-2014-0160) was introduced into OpenSSL in December of 2011 and published in OpenSSL’s production code on March 14, 2012.

OpenSSL’s heartbeat extension is where this coding flaw is located, thus the flaw has been nicknamed the “Heartbleed Bug.”

Because OpenSSL is so popular, it’s estimated that roughly 2/3 of the internet is affected.

Why does it matter?
———————————————————-

The Heartbleed Bug allows attackers to remotely (from literally anywhere with an internet connection) retrieve contents from affected systems’ memory. The memory contents can be retrieved, unencrypted, without the benefit of valid system credentials. The retrieved memory contents could be useless; the content could contain username and password data; or, in a nightmare scenario, the content could contain the private key data for the affected server. Anything is possible.

The Heartbleed Bug can be invoked over and over. For this reason, a persistent attacker could exploit an affected system until valuable or desirable memory data is obtained.

What has ITS done about it?
———————————————————-

On April 8, 2014, hours after disclosure, the UISO began identifying affected systems and patching as necessary. At this time, all ITS managed systems are believed to be secured.

It is important to note that Windows Server and OS X Server products are unaffected by Heartbleed. For this reason, critical LUC systems, including (but not limited to) LUC’s Microsoft Exchange email infrastructure, have never been vulnerable to the Heartbleed exploit.

What is ITS continuing to do?
———————————————————-

The UISO continues to actively scan LUC’s network for systems that are vulnerable to Heartbleed. The scans include LUC data centers and the broader LUC network segments. As of April 9, 2014, the UISO sent notices to system owners affected by Heartbleed.

How can I tell if I’m affected?
———————————————————-

The most common service affected by Heartbleed is https (a website using SSL). System Administrators responsible for Internet-facing systems, especially those using Linux or Unix-based systems and leveraging web services, should ensure that OpenSSL is patched. If you need assistance determining if a machine in your area of responsibility is vulnerable, please email datasecurity@luc.edu.

Site visitors can test a website’s OpenSSL implementation by using one of the online tools available (e.g. http://filippo.io/Heartbleed/).

What should I do if I’m affected?
———————————————————-

Patch! Systems found to be vulnerable to Heartbleed should be patched immediately. Systems that handle sensitive or regulated data should consider revoking outstanding SSL certificates and generating new ones. If you need assistance with (or have questions about) SSL certificates, please email datasecurity@luc.edu.

What about non-LUC sites?
———————————————————-

There has been quite a bit of fear, uncertainty, and doubt cast upon this vulnerability by media outlets. Users should check their critical websites’ (bank, credit card, email provider, etc.) for a statement about Heartbleed. Out of an abundance of caution, you may want to change the passwords used on these sites. Some sites may force you to change your password in the coming days.

Some media outlets are tracking the state of popular websites, advising people when to change their passwords. http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

What if I want to change my LUC password?
———————————————————-

If you wish to change your LUC password, you can visit https://pellonia.luc.edu/iuadmin.

What if I need more help or have questions?
———————————————————-

If you have questions or additional concerns about Heartbleed or other network security related matters, please feel free to email datasecurity@luc.edu.

Leave a Reply