Heartbleed-Weary Tech Firms Show OpenSSL a Little Love
A new attack vector has been identified, causing renewed distress over the difficulty of coming up with a Heartbleed cure. Coincidentally, the latest threat information comes just as a group of tech companies announced a new effort to shore up OpenSSL security. A coding error in OpenSSL, which is widely used but pathetically undersupported, led to the Heartbleed debacle.
05/30/14 2:29 PM PT
Remember Heartbleed? Several weeks ago, the exposure of this security bug chilled the Internet, highlighting once again that even the seemingly unbreakable can be hacked. In the case of the Heartbleed vulnerability, encrypted data was at risk of theft.
Sites potentially vulnerable to Heartbleed urged users to change their passwords. They ranged from Canada's Revenue Agency to Amazon Web Services to Yahoo to Reddit.
Although angst waned following the launch of a massive initiative to patch the vulnerabilities that could permit malware attacks, Heartbleed has emerged from its bunker.
Luis Grangeia, security services manager at SysValue, this week identified a new attack vector that opens wireless routers and Android devices to infiltration. In this case, the attack is carried out via WiFi, targeting both the client and the server.
The vector, called "Cupid," is a new twist on Heartbleed. Previously it was believed Heartbleed could be exploited only over TCP connections or after the TCP handshake, Grangeia noted. Cupid essentially killed those "sacred cows."
Another lesson learned from Cupid, Grangeia said, is that "openSSL sucks."
The tech industry may be inclined to agree, albeit in less blunt language, but there's an effort under way to improve OpenSSL.
The Core Infrastructure Initiative, a group of tech companies gathered together by The Linux Foundation in response to Heartbleed, this week announced funding for several open source projects to shore up security.
The group has prioritized Network Time Protocol, OpenSSH and OpenSSL for the first round of funding, with OpenSSL slated to receive funds for two full-time core developers.
Companies participating in the initiative include Adobe, Amazon Web Services, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Huawei, IBM, Intel, Microsoft, NetApp, Rackspace, Salesforce.com and VMware.
Too Little, Too Late?
How much this initiative will help matters remains to be seen.
"There's little doubt that additional support for OpenSSL will improve the situation, but it's hard to know whether it's too little, too late," Tim Erlin, director of IT security and risk strategy at Tripwire, told LinuxInsider.
"Additional support only improves the code going forward -- it doesn't magically patch deployed instances of the cryptography library," he continued. "This means consumer safety still depends on continued mitigation and patching efforts."
In fact, the risk from Heartbleed is still high despite the efforts of the security industry over the last month, said Lamar Bailey, director of security research at Tripwire.
"It often takes organizations a long time up apply patches because of testing and change control limitations," he told LinuxInsider. "Unfortunately for consumers, these long patch cycles mean that successful Heartbleed attacks will keep taking place for months, and perhaps even for years."
The next big Heartbleed-style attack is nearly impossible to predict, said Andrew Avanessian, VP of global professional services at Avecto.
For that reason, "IT must take a proactive stance to security in order to reduce an organization's exposure to the next attack," he told LinuxInsider.
"Defense-in-depth security strategies should include both reactive and proactive measures, including regular patching and removing elevating privileges from all users," Avanessian suggested.
"This would ensure that if an attacker managed to gain access to a user's credentials via a Heartbleed-style bug, they would be limited in the damage they could cause," he explained.
"After all diligent remediation steps have been taken, Heartbleed remains a waiting game," observed Paul Martini, CEO of Iboss Network Security.
"Having users change their passwords was a good idea, as was changing certificates," he told LinuxInsider. "However, as we have discovered, there are no foolproof methods."