Heartbleed being monitored by CSM and MCMC
By Gabey Goh April 11, 2014
- Alerts issued by MCMC and CyberSecurity Malaysia, situation being monitored
- Companies urged to patch vulnerability and update all encryption keys, passwords
THE race is on for affected organisations around the world to patch their systems following the discovery of the Heartbleed by Finnish security firm Codenomicon.
The vulnerability is due to a bug created in 2012 in OpenSSL – a cryptographic library that is used to secure a major percentage of the Internet's traffic. It was dubbed Heartbleed as it occurs in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension.
When it is exploited, it leads to the leak of memory contents from the server to the client and from the client to the server. The same weakness also exists in the client-side implementations of OpenSSL
According to Codenomicon, the vulnerability has exposed 66% or more of the Internet to attack.
The Heartbleed bug is being described as the most serious security threat to the Internet to date.
In a blog post on the issue, security expert Bruce Schneier called Heartbleed a “catastrophic” vulnerability: "On the scale of 1 to 10, this is an 11."
According to a report by Ars Technica, malicious ‘bot’ software may have been attacking servers with the vulnerability for some time.
“In at least one case, traces of the attack have been found in audit logs dating back to last November and attacks based on the exploit could date back even further,” the technology news site’s Sean Gallagher wrote.
Technology website Mashable has compiled a list of major websites and Internet services, tracking whether these organisation are affected by Heartbleed and if users would need to change their passwords to re-secure their accounts.
Services and websites affected include Google, Gmail, Yahoo, Facebook, Amazon Web Services, Dropbox and Lastpass. Popular dating website OKCupid was also on the list.
Amazon Web Services has reportedly already sent email notifications to all customers worldwide, informing them of the vulnerability and steps customers would need to take on their part.
Recommendations for enterprises
In a statement, FireEye's threat intelligence analyst Aaron Charrington said that the network security company has observed several different lists being posted to Github and Pastebin, monitoring what sites are vulnerable, not vulnerable, and not running SSL (Secure Sockets Layer) on their web servers.
“Organisations are encouraged to apply the patch as their earliest opportunity and identify their own strategy for deployment based on their own needs and testing requirements,” he added.
FireEye has recommended that companies do the following:
- All externally facing servers should be patched first to reduce the potential number individuals who could connect to a vulnerable system.
- Patch any servers providing authentication, which could leak, legitimate credentials to a hacker.
- Then patch any servers that containing sensitive data including personally identifiable information (PII), customer data, critical intellectual property, or those conducting financial transactions.
- Then pursue a strategy to patch all other internal systems.
- Identify partner organisations' websites that employees may use, and ensure that these other websites have been secured as well.
- Create, install / deploy new certificate(s). Organisations which suspect they are being attacked already should also consider revocation of the old keypairs that were just superseded, and also invalidating all session keys and cookies.
In addition, organisations should perform network scans as soon as possible and identify if any of other devices may be running OpenSSL as well.
“This could include appliances, wireless access points, routers, or pretty much anything else that may use SSL. As an example, several different types of Voice-over-IP (VoIP) phones used in the corporate environment run SSL.
“For these other devices, organisations may need to work with their vendors to apply a patch, firmware, or solution to ensure that all equipment,” said Charrington.
He added that organisations would want to ensure appropriate logging is enabled on their servers, and conduct increased auditing to determine if any unauthorised users are leveraging compromised credentials that may have already been leaked.
“As the credentials are legitimate, auditing serves as one of the best ways to identify anomalous activity. Auditors should be on the lookout for anything outside of the normal including logins for different geographic regions, extreme off-hour activity, increase in outbound bandwidth usage, and other similar activity,” he added.
Patching and securing Malaysian assets
Responding to queries made by Digital News Asia (DNA), the Malaysian Communications and Multimedia Commission (MCMC) said that it alerted all Internet service providers (ISPs), the Government Emergency Response Team (GCERT) and other regulators and banks on April 8.
MCMC said that it will continue to monitor and advise those who are vulnerable. However, this will be upon detection or reports received, it said.
In addition, the regulator noted that the Malaysian Administrative Modernisation and Management Planning Unit (Mampu) has set guidelines for government agencies to secure their systems, and that patching is part of the exercise.
CyberSecurity Malaysia (CSM), an agency under the Ministry of Science, informed DNA that it also issued an alert on April 8.
Its chief executive officer Amirudin Abdul Wahab (pic) said that all Malaysian companies are being advised to check if their websites are vulnerable. To aid in checks, the agency has also provided a verification site (access the site here, or the alternative site here).
“If the website is confirmed to be vulnerable, we advise administrators to patch immediately by referring to our advisory.
“Any keys generated with a vulnerable version of OpenSSL can be potentially compromised and we advise users after patching the affected systems, to immediately update the SSL certificate, and then change every password that could potentially be affected,” he added.
Amirudin said that this vulnerability is considered to be a serious issue and advised users to take extra precautions.
“Do not log into accounts from afflicted sites and if possible, avoid the site for the time being until necessary patches and upgrades have been done.
“We recommend users change their information such as their passwords in sensitive accounts immediately after receiving confirmation of security patches,” he added.
Amirudin said that actions are currently being taken to identify and rectify the vulnerabilities by relevant parties, and the agency is also monitoring the situation and would take necessary action “as and when needed.”
When asked about what measures the agency could take to ensure the affected Malaysian companies undertake the necessary actions against the bug, Amirudin said that CSM was not “in a position to enforce and instruct companies or users to follow our recommendations.”
“However, our role as the national technical specialist reference centre is to provide assistance to Internet users by providing alerts and advisories on the latest vulnerabilities or outbreaks, and offer our technical expertise as assistance,” he added.
MCMC also said that regulators for critical services should provide advisories to the industries under their purview.
However, when asked if any regulation exists that would enable enforcement of security updates, MCMC stated that there is currently “no legislation or regulation to compel any organisation to patch their systems.”