Code red, the ship is on fire
Checking out Hacker News for a refreshing end to my work day, I was instead greeted with the worst of all tech-related bad news: Heartbleed, an exploit in popular versions of OpenSSL allowing attackers anonymous (read: no way to figure out how widely it’s been exploited up to this point) access to 64kb of memory of an affected client or server.
How bad is it? Tor had this to offer in its blog post on the subject:
If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.
Let’s play a doomsday scenario out a little bit:
- Attacker compromises the private key to Ubuntu’s (or any other distro’s) package repository
- Attacker generates their own certificate and phishes someone with write access
- Attacker pushes out legitimate-looking vulnerable versions of all your favorite packages, signed with the proper private key
- Attacker can effectively attack any machine that installs that vulnerable package
Let’s try another:
- Attacker gets private key for the instant messaging account for a security guy at Google, or their IRC server (thankfully, a Google employee was the one who found it, so at least they were probably first to patch against it)
- Attacker listens to all their communications to wait for an opportunity
- Attacker initiates a phishing attack using real-sounding information, impersonating an employee
- Attacker gets access to Google’s hosted JavaScript libraries, inserts a small keylogger
- Every user on every website using Google to include jQuery or other popular libraries gets keylogged
Both of these scenarios require a phishing attack to happen at some point, but even this wouldn’t be necessary. The possibilities are endless. And it’s better than a normal bug! Normal bugs are patched with software updates, and then they’re no longer an issue. Not so with this one. Every key, every password, every everything has to be assumed to have been compromised, and replaced. As you can probably imagine, that will take time.
Why am I posting this? It might seem I’m just predicting doom and giving no solutions. My hope is that you will help me in convincing all the parties affected by this to:
- Upgrade their vulnerable versions of OpenSSL
- Change all private keys that might’ve been compromised
- Generate new SSL certificates where necessary
This isn’t an easy prospect, and many will be slow to do everything necessary to protect against this exploit unless they have motivation to do so. Every day they wait, they potentially put millions of peoples’ sensitive data at risk.
Take it to Twitter using the #OpenSSLBug hashtag! Time is of the essence, and broad awareness is crucial.
You might want to stay off the Internet for a few days, assuming you’re not one of the unlucky few who have to go and clean this mess up.
Updates
Here is a tool to find out if your favorite sites support the vulnerable heartbeat feature, and thus probably need to do damage control. To name a few: Google, Twitter, and Instagram, although others may have simply disabled the feature temporarily, which unfortunately isn’t a complete fix.
Want to find more sites that need to be patched? Google the following, and you’ll begin to see just how deep the rabbit hole goes.
[REMOVED]
OpenSSL is trending on Twitter right now. It looks like people are starting to take notice.
For anyone running a website of their own, here’s a thread on ServerFault describing how to check your OpenSSL version and find any processes that might still be running on the old version once you’ve updated. If you’re running Ubuntu, they still haven’t released the new version, so head over to the OpenSSL site to grab the new version to compile from source. Once you’ve upgraded, restart all the services you get when running
lsof -n | grep ssl | grep DEL
When you’re ready to generate new keys and get new certificates:
- Instructions for how to generate a Certificate Signing Request for Namecheap SSL certificates, and how to set them up using Nginx
- How to generate and use a self-signed SSL certificate with Apache
- Instructions for generating/updating a certificate for Courier
Can’t remember all the keys you might need to rotate? Take these for a spin:
sudo find / -name "*.key" -type f sudo find / -name "*.pem" -type f
This might also be a good time to tweak your webserver to use only secure SSL ciphers.
[…] by beepp_ [link] […]