“We’re not vulnerable to the Heartbleed bug …”, Um Yeah, Hold That Thought Boss and Here’s Why
It’s been about two weeks now since the Heartbleed bug with OpenSSL was reported to the public. Most companies that are vulnerable are taking action to protect their customers (good/great/fantastic). But there are many others that are not (not good). To make things worse, many have convinced themselves that their risk from Heartbleed is low.
Here’s some common misconceptions about Heartbleed we’ve seen, and why we think they are wrong.
Misconception #1: “The Heartbleed bug is not being actively exploited …”
A couple things come to my mind that make it hard for me to swallow this. First, the actual bug in the OpenSSL software was introduced in 2012. Which means there was two whole years the bad guys could have exploited this bug. And second, the actual Heartbleed attack doesn’t leave a trace. So remind me again how companies would know that Heartbleed is not being actively exploited? You see where I am going with this.
Misconception #2: “We haven’t seen any reports of our service, or our vendors being exploited …”
Most data breaches/compromises go undetected. And if they are, many of them are not reported. So just because a company is unaware of any exploits, it doesn’t mean it’s not happening.
Misconception #3: “We don’t transmit any personal information like healthcare records or credit cards …”
The Heartbleed bug allows an attacker to read the contents of a vulnerable system’s memory. So even if a company isn’t dealing with personal information like healthcare records or credit card information, an attacker could still read information like user passwords, private encryption keys and more. I would suppose this type of information would be considered sensitive, non?
Misconception #4 (Bonus): “Most Web sites don’t use OpenSSL …”
Let’s pretend that this was actually true, it’s not. But let’s just pretend it is. What about email servers that use SSL? What about VPN servers that use SSL? Or how about even database servers? The exposure from the Heartbleed bug isn’t just for the Web. It’s literally for any system/protocol that uses SSL and the OpenSSL implementation to provide security.
A Ridiculously Simple Golden Rule of Security You Should Know About
Look at any of the above misconceptions, you will start to notice a pattern. Companies are trying to guess who malicious hackers are attacking and what they are after. Dumb move. Whenever companies try to play the “I know what hackers are thinking” game, trust me they will always lose. Instead, just remember this simple rule of security: if it’s exploitable, it’s being exploited.
That’s it for this week’s Data Protection Friday article, next week something new about Heartbleed is bound to emerge. So until then,
–Kevin Lam
P.S. If you want a really easy way to detect if your systems are vulnerable to Heartbleed, read this article. Also if you have any questions, feel free to contact us anytime.