Last week, while I was in the offices of one of our customers, a long-present but little-known vulnerability in OpenSSL became public knowledge. Our client detected it early and made the necessary patches and updates. The systems deployed by their customers are now secure. Consumers will change their passwords and credentials stolen prior to the Heartbleed fixes will be worthless.
Unfortunately, the broader threat hasn’t passed. The Heartbleed vulnerability was a pervasive attack vector to collect user credentials. Some of those credentials undoubtedly belong to administrators who control every part of the systems they manage. Those administrative credentials are the proverbial keys to the castle – and they may still work. Ouch … this means that some of the user password changes did not help since the stolen administrator credentials could still gain access to other user names and passwords.
The first few exploitations of Heartbleed have now been reported, and a “honeypot” set up on a University of Michigan server was attacked the day after the vulnerability was announced. But overall, it’s been rather quiet, and some people are already writing Heartbleed off as old news. I advise against that -- hackers may have known about Heartbleed for well over a year. How do we know for certain that critical administrative user credentials have not been compromised and subsequently used to conduct fraud? Or soon will be used?
Too early to declare “all clear”
Before we declare an “all clear,” we have to do the hard work. Each manufacturer must clearly identify where OpenSSL introduced issues and every service provider must check those systems for the vulnerability. This means a lot more investigation that just reviewing Internet-facing web applications. This is a top to bottom inventory and review of critical appliances and systems that are deployed in mission-critical networks.
Once the extent of the risk is clearly identified, the cleanup could take months or longer. The entire access control system at many service providers may have to be rebuilt and closely monitored for months to validate that all unauthorized accounts have been removed.
On the consumer side, the sheer number of data breaches in the past five years seems to be numbing individuals to the threat. Many people have gotten a breach disclosure by now, but fewer have actually been harmed by the information that got out. This can lead to complacency and – paradoxically – a feeling of invulnerability.
Heartbleed and the other very large breaches in 2014 may begin changing that equation. If the other shoe drops and we start seeing hackers breaching systems that were declared “safe,” consumers are going to get fed up and demand that companies protect the information that they’ve shared or face the consequences.
The vulnerability can still escalate to an attack
Companies themselves are not immune to the threat. We’ve seen many situations where senior executives fell victim to attacks. In one memorable case, fraudsters planted malware on a CFO’s laptop, stolen the company’s ACH credentials, created an elaborate fraud that involved running payroll, and made off with $1 million of the company’s cash.
Business leaders must do more to protect their companies and the consumers they serve. Good security and risk management can be a strategic advantage. In some recent data breach cases, the loss of customer confidence can be directly measured to lower revenue. “Trust” is quickly becoming a measurable off balance sheet asset.
Heartbleed is an event that will stick around for a while. Enjoy these first few relatively silent days where we don’t hear reports of exploits, but do the right thing and chase this vulnerability to ground.