This is an Advertisement

CLIENT UPDATE: Websites with OpenSSL encryption vulnerable to Heartbleed

Websites with OpenSSL encryption vulnerable to Heartbleed

CYBER RISK ALERT! Just when we thought we were safe online while using websites that display the key security “https” in the URL, we learn that nothing could be further from reality. On April 7, 2014, security researchers at Codenomicon announced the discovery of a flaw in the OpenSSL (security socket layer) that is used in an estimated two-thirds of the servers that support websites displaying the padlock and “https” letters that we have come to trust. Based on the back-end technology of OpenSSL, which involves what is called a “heartbeat” extension and a leakage of data from the server, this new cyber liability threat has been dubbed Heartbleed by the security firm that discovered it. This flaw makes the OpenSSL websites vulnerable to attackers who can intercept user names, passwords, financial information, health care information, instant messages, emails, confidential business documents and read up to 64KB of memory.

Check Websites and Network Equipment for Vulnerability. LastPass created a Heartbleed checker tool for websites that require passwords. Enter the website’s URL in the checker tool and LastPass will return a report on whether the website uses an OpenSSL server that may be vulnerable to Heartbleed, to the extent information is available. The LastPass report also provides the last time the website’s SSL Certificate was updated. Certificates updated before the publication of Heartbleed’s discovery will need to be regenerated. On April 10, 2014, The Wall Street Journal reported that some of the products supplied by Cisco System and Juniper Networks contain the Heartbleed flaw. Cisco issued an on-line customer bulletin to keep its customers apprised of the products under investigation, a list of products that it has confirmed are vulnerable due to Heartbleed, as well as how to obtain updated software to fix the problem. Home wireless routers could be affected as well.

Detecting a Data Breach. According to Codenomicon, Heartbleed is not a bug but is a programming flaw in the OpenSSL library that provides cryptographic services to applications and services. It has been in existence for about two years before its recent discovery. The flaw allows hackers to grab passwords and other sensitive information when entered into a website supported by the vulnerable OpenSSL server software without leaving any trail. As a result, attackers can secretly steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable OpenSSL web server. Whether personal sensitive information has been breached would be difficult, if not nearly impossible, to discover. An unauthorized use of one’s Social Security Number (SSN), credit card information, health insurance benefit plan number, or other identifying information that cannot be tied to a discoverable incident, such as a stolen or lost laptop, smart phone or other mobile device, leaves one wondering whether Heartbleed could have been the culprit.

What must be done to address Heartbleed. Website owners need to immediately assess vulnerability for Heartbleed, implement the available update for websites supported by vulnerable OpenSSL, revoke existing SSL certificates and get a new one, and review the SSL configuration for webmail and email. The researchers who discovered Heartbleed established a detailed webpage at http://heartbleed.com with technical information about how the defect causes content from the server to leak, how to stop the leak, a list of OpenSSL software containing the problem, a list of the known operating systems that were distributed with the potentially vulnerable OpenSSL version, and much more. The Open SSL update is available at https://www.openssl.org/. The information at heartbleed.com is a must read for anyone with responsibility for the security of data supported by OpenSSL and that are used to create, access, maintain or transmit financial information.

Changing log-in and password information. In addition, website owners should consider how to address and communicate any identified potential vulnerability of their OpenSSL website to individuals who use the website so they can protect themselves by changing log-in and password information. According to heartbleed.com, a person should not change his or her log-in password for a webpage supported by a vulnerable OpenSSL server until after receiving notification from the website owner that steps have been taken to address the vulnerability. Changing the log-in and password information while a vulnerable OpenSSL website is still vulnerable may increase the risk of such information being stolen by hackers who have decided to capitalize on the discovery of Heartbleed.

The bright side? I don’t know that we can state it any better than the researchers have at heartbleed.com: “For those service providers who are affected, this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.”

Information for this Client Update was collected from a variety of resources including the following:

Heartbleed Bug Endangers Medical Data, Internet as a Whole”, by Chris Wiltz, Medical Device & Diagnostics Industry (MDDI) (April 8, 2014).

Heartbleed Bug: What You Need to Know”, by Jeffrey Roman, Gov Info Security (April 9, 2014).

Experts Find a Door Ajar in an Internet Security Method Thought Safe”, by Nicole Perlroth, The New York Times (April 8, 2014).

What health orgs need to know about Heartbleed”, by Lauren Still, Health IT Developer, Government HealthIT (April 10, 2014)

Please contact Lisa Underwood at (859) 288-7665 or Kathie McDonald-McClure at (502) 562-7526, or any other member of the Wyatt, Tarrant & Combs Data Privacy & Security Team, if you have any questions or concerns regarding the matters addressed in this Client Update. For those who may be HIPAA covered entities or business associates, be sure to follow our posts on HIT privacy & security developments on the HITECH Law Blog at www.wyatthitechlaw.com.