Heartbleed May Be Mostly Fixed, but It’s Still Causing Trouble
We’ve now reached the later stages of coping with the wake of the Heartbleed bug. While most websites that people actually use have been fixed, a few more vulnerable sites are cropping up.
The latest one of these revealed over the weekend was Healthcare.gov, the website for the U.S. federal government’s health insurance program. After a review by the U.S. Department of Homeland Security, the site is requiring users to change their passwords. “While there’s no indication that any personal information has ever been at risk, we have taken steps to address Heartbleed issues and reset consumers’ passwords out of an abundance of caution,” a post on the site says.
According to a DHS post by Phyllis Schneck, the agency’s undersecretary for cybersecurity, many government-operated sites don’t use OpenSSL, the open source software that was vulnerable. “As we conduct the scans of government systems and agencies conduct their own reviews, many government websites turn out to have never been vulnerable to Heartbleed because they did not use OpenSSL; in those cases, no further action is needed,” Schneck wrote. Those sites that have used OpenSSL are upgrading to newer versions, re-issuing their server certificates and requiring users to change passwords.
It’s worth noting that the U.S. government is not alone in operating sites with vulnerabilities. Canada’s equivalent of the IRS was found to be vulnerable, and someone has been arrested and charged with exploiting the bug to attack the site and steal personal information.
Another attack was revealed over the weekend. Researchers at Mandiant, the incident response arm of security firm FireEye, found that one of its clients, an undisclosed large company, suffered a serious Heartbleed attack.
According to a Mandiant blog post, the attackers used the Heartbleed vulnerability to hijack several corporate VPN sessions while those connections were active. (Corporations often use virtual private networks to allow remote workers to connect to their networks securely.)
Attackers took advantage of Heartbleed to scoop authentication keys out of the memory of a VPN device on the company’s network, which allowed them to sign on to the VPN as if they were a legitimate user. Once signed into the VPN, they attempted to move around within the network, and boost their access privileges along the way.
Mandiant didn’t reveal the identity of the victim. But we’re likely going to hear about more cases like this after the fact as companies and organizations clean up their Heartbleed-affected systems and do forensic analysis to determine if they were ever attacked.
Finally, I’m pointing this out today because it’s new to me, and maybe to you as well. If you’re uncertain about whether or not certain sites you use regularly may still be affected, there’s a browser extension you can download from Netcraft that will let you easily check two things: First, whether a site is currently vulnerable; and second, whether it was previously vulnerable, indicating you should probably change your password. It’s available for Chrome, Firefox and Opera. You can read about it in detail here.