After Heartbleed -- what has the vulnerability taught us?
The Heartbleed OpenSSL vulnerability has sent tremors down to the very foundations of the IT world. But now that we're over two weeks on from the news of the bug first breaking what have we learned and has anything really changed? We talked to some leading security experts to find out.
There’s little doubt of the seriousness of the problem, Technical Manager at security firm Cigital, Amit Sethi says, "This is indeed one of the worst vulnerabilities in the history of the web. It has been present in OpenSSL for over two years, during which time it has made it into a lot of software. Unlike many other vulnerabilities in SSL implementations that we have heard about in recent years, this one does not require the attacker to be positioned between your computer and the server. The attacker can go directly to the server and get any information that you recently exchanged with it over a secure channel".
However, Sethi does take a positive from the news in terms of the industry's response, "...high-profile websites have been addressing the issue very quickly either by fixing it or by taking down their applications while they create a mitigation plan".
Heartbleed has the potential to affect everyone who uses the web. Sean Sullivan, Security Adviser at F-Secure says that smaller businesses may not be able to fix the problem themselves. "SMBs are typically not running their own web server or are using Apache that someone has set up for them. This is not an issue for small businesses themselves but they may be vulnerable through third parties".
Because Heartbleed mainly affected servers -- though it could be in some versions of Android too -- it meant that you were vulnerable whatever operating system you were running. Most vulnerable servers will have been patched by now and the speed with which major companies reacted has been impressive, but Alex Balan Head of Product Management at BullGuard warns that, "SSL is used by devices like load balancers and even some wireless routers which will need a firmware update".
Balan also believes that, "Heartbleed teaches us a good lesson about the state of the internet in 2014. People are more security aware and take a more proactive approach to patching servers". He also thinks that password managers will become more popular as people become more aware of security.
The need for better password security and avoiding the temptation to use a single password for multiple sites is underlined by Joe Ferrara, President and CEO of Wombat Security Technologies, "To avoid using information people could easily guess you can create a password family and also make passwords easy to remember. For example you could create a password family around automobiles. Bl&ckVo1vo (Black Volvo) might be for secure use such as your online banking and then R3dF#rr$ri (Red Ferrari) might be for more risky activities such as online shopping".
Although there has as yet been no major leakage of information captured from Heartbleed, it's still possible that we'll see attacks using stolen details in the weeks and months to come. The full extent of the problem may never be known, but at least we can take some comfort from the way that security professionals and the IT industry generally have responded and from the increased awareness of good password practice.
If the implications of Heartbleed still worry you or you think there’s anything else the industry could be doing to offer greater protection do let us know in the comments.