The Department of Homeland Security has warned all Americans to stop the use of all versions of Microsoft’s Internet Explorer!
Much of the IT world has spent a lot of time as of late discussing the Heartbleed vulnerability in OpenSSL 1.0.1. This webinar focuses not just on the vulnerability and remediation, but also how the IT community at large responded to the incident.
Webinar: A Post-Mortem on Heartbleed – What Worked and What didn’t
Presenters: Jonathan Trull – CISO State of Colorado; Wolfgang Kandek – CTO Qualys
Original date of Webinar: April 24th, 2014
Webinar content available at: https://www.qualys.com/forms/webcasts/heartbleed/?leadsource=17265983
This webinar was presented as a joint effort between the State of Colorado and one of their IT security vendors, Qualys. This presentation was targeted at IT professionals, specifically those that may be responsible for web applications or network security. Generally speaking, if you stay up to date on IT security, you are probably sick and tired of discussion on Heartbleed. It seems that this topic has dominated the IT community for the last 2 weeks. Unlike many other presentations, this webinar focused not just on the vulnerability and remediation, but also on the overall IT communities response. The conversation was generally split in to 5 topics (Technical background; Timeline; Testing; Tools; and Statistics) followed by a Q&A session that lasted about 7 minutes.
The presenters spent a few minutes describing the Heartbleed vulnerability in modest detail. They focused less on the ‘bits and bytes’ of how the exploit works instead focusing more on the systems that are specifically vulnerable. I found this approach very helpful. If you are a true cyber ninja, you probably already know the techie details of Heartbleed. In my opinion, many commentaries have been too technical. This can easily confuse the less technical audience. Instead, this presentation focused less on the “how?” and more on the “so what?” They also presented multiple demo’s of how Heartbleed works including one that was performed live during the webinar. This approach gave the audience a very good understanding of exactly how this exploit works and how it can potentially effect the audience.
The presenters briefly covered the timeline of Heartbleed starting with OpenSSL 1.0.1’s creation in March 2012. They also specified versions of OpenSSL that are effected by Heartbleed (versions 1.0.1a-f) and those that are not (versions 0.9.8; 1.0.0; and 1.0.1g).
Several free test scripts were offered for users to check their own systems to see if they are susceptible to the Heartbleed exploit. In addition to these scripts, the presenters mentioned some commercial scanner tools that can be used to test for Heartbleed as well as other security vulnerabilities. The presenters also spent several minutes discussing remediation and cleanup after Heartbleed. This was a critical topic in that some software vendors have only recently provided patching against Heartbleed and some have not released any updates at all! Other remediation suggestions were also mentioned such as renewing possibly compromised SSL certificates and forcing password changes.
Several free tools and a demo site where also presented for further/more advanced remediation of Heartbleed. I found this section to be particularly refreshing. Much of the discussion of Heartbleed has been from the the IT security contracting industry. Many of these vendors have offered “free webinars” that where really thinly veiled sales pitches for their products and services. In this case, the presenters offered truly helpful tools for the benefit of the audience.
The presenters also spent a few minutes discussing some of the sites that were openly effected by Heartbleed to include: Yahoo, Imgur, Okcupid, Canadian IRS, and Healthcare.gov. One of the most alarming statistics was that after 2 weeks of education and remediation, there are still a surprising number of systems that are still vulnerable (over 5% of the sampled servers).
The presentation concluded with a challenge for users to try and exploit a demo site created by the sponsors followed with some questions and answers. I have read and heard a lot about the Heartbleed vulnerability over the last 2 weeks. Although I did not learn much new technical information, I did get some valuable suggestions and free remediation tools from the presentation. Overall, I feel that the presenters did a good job of explaining the problem and suggesting some real world solutions. As previously mentioned, I found their offering of open-source solutions refreshing after 2 weeks of shameful sales pitches. I would encourage any IT professional or manager to go and review the content of the webinar at: https://www.qualys.com/forms/webcasts/heartbleed/?leadsource=17265983.
Questions to consider:
- As IT professionals, do we rely too heavily on “security experts” to educate us on issues such as Heartbleed? Does this reliance leave us susceptible to blindly following the advice of others without our own research?
- Knowing that this vulnerability has been a threat since early 2012, how much information may have been lost/compromised? Once litigation begins, who (if anyone) will be held responsible?
Although Heartbleed is a very real threat to many servers, it can also be a threat for many personal devices. Android devices often use the vulnerable OpenSSL 1.0.1 protocol. Before you go out and patch your device, SANS is warning users to exercise caution. It would appear that there are a number of hoax patches that could be more dangerous than Heartbleed!