Heartbleed – When Will the Next Shoe Drop?

Rick Dakin, CEO, Co-founder and Chief Security Strategist

Last week, while I was in the offices of one of our customers, a long-present but little-known vulnerability in OpenSSL became public knowledge. Our client detected it early and made the necessary patches and updates. The systems deployed by their customers are now secure. Consumers will change their passwords and credentials stolen prior to the Heartbleed fixes will be worthless.

Unfortunately, the broader threat hasn’t passed. The Heartbleed vulnerability was a pervasive attack vector to collect user credentials. Some of those credentials undoubtedly belong to administrators who control every part of the systems they manage. Those administrative credentials are the proverbial keys to the castle – and they may still work.  Ouch … this means that some of the user password changes did not help since the stolen administrator credentials could still gain access to other user names and passwords.

The first few exploitations of Heartbleed have now been reported, and a “honeypot” set up on a University of Michigan server was attacked the day after the vulnerability was announced. But overall, it’s been rather quiet, and some people are already writing Heartbleed off as old news. I advise against that -- hackers may have known about Heartbleed for well over a year. How do we know for certain that critical administrative user credentials have not been compromised and subsequently used to conduct fraud? Or soon will be used?

Too early to declare “all clear”
Before we declare an “all clear,” we have to do the hard work. Each manufacturer must clearly identify where OpenSSL introduced issues and every service provider must check those systems for the vulnerability. This means a lot more investigation that just reviewing Internet-facing web applications.  This is a top to bottom inventory and review of critical appliances and systems that are deployed in mission-critical networks.
Once the extent of the risk is clearly identified, the cleanup could take months or longer. The entire access control system at many service providers may have to be rebuilt and closely monitored for months to validate that all unauthorized accounts have been removed.
On the consumer side, the sheer number of data breaches in the past five years seems to be numbing individuals to the threat. Many people have gotten a breach disclosure by now, but fewer have actually been harmed by the information that got out. This can lead to complacency and – paradoxically – a feeling of invulnerability.

Heartbleed and the other very large breaches in 2014 may begin changing that equation. If the other shoe drops and we start seeing hackers breaching systems that were declared “safe,” consumers are going to get fed up and demand that companies protect the information that they’ve shared or face the consequences.

The vulnerability can still escalate to an attack
Companies themselves are not immune to the threat. We’ve seen many situations where senior executives fell victim to attacks. In one memorable case, fraudsters planted malware on a CFO’s laptop, stolen the company’s ACH credentials, created an elaborate fraud that involved running payroll, and made off with $1 million of the company’s cash.

Business leaders must do more to protect their companies and the consumers they serve. Good security and risk management can be a strategic advantage.  In some recent data breach cases, the loss of customer confidence can be directly measured to lower revenue.  “Trust” is quickly becoming a measurable off balance sheet asset.

Heartbleed is an event that will stick around for a while.  Enjoy these first few relatively silent days where we don’t hear reports of exploits, but do the right thing and chase this vulnerability to ground.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS