The precise impact of the Heartbleed OpenSSL security bug is becoming clearer. Client-side applications can be vulnerable too, not just servers — particularly those running on Android 4.1.x. But evidence is emerging that if anyone else knew about the bug in the two years that it's existed, it was a "limited constituency".
The security researchers who presented the third Heartbleed briefing for the SANS Institute's Internet Storm Centre (ISC), held on Friday morning Australian time (Thursday afternoon US time), confirmed early impressions that the bug is serious, but held back from equating it with the widespread internet worms of early last decade, such as Code Red and Slammer.
"Code Red was at least as serious as Heartbleed, plus I didn't have to wait for the luck of the draw to get the right 64k," said SANS ISC chief technology officer Johannes Ullrich — a reference to the fact that while Heartbleed can allow an attacker to repeatedly extract 64 kilobyte chunks of server memory, they have no control over which chunk they get.
But malware researcher Jake Williams, a principal consultant at CSRgroup Computer Security Consultants, only partially agreed.
"On the other hand, we have a much higher population of vulnerable servers, as well as a large number of vulnerable client-side applications, the full list yet to be determined", Williams said. "There was zero chance that my Android phone was going to be vulnerable to Slammer" — if Android had been around then, of course — "whereas with [Heartbleed], there's a pretty good possibility."
It's currently believed that Android versions 4.1.0 and 4.1.1 are vulnerable to Heartbleed, although some reports indicate that only 4.1.1 is vulnerable.
More than one-third of operational Android devices are still running version 4.1.x, Williams said. "If you're running Android this early, you are still also probably owned, unfortunately," he said, referring to the Blackhole exploit kit.
Unlike most Linux distributions, which the researchers praised for issuing OpenSSL patches promptly, they were scathing of Android for the availability of patches being "a little bit less than desired", as Williams put it.
James Lyne, global head of security research with Sophos, put it more strongly. "A lot of that isn't so much the user population. In many cases it's the providers, not of the hardware but the telcos who aren't being responsible," he said.
Meanwhile, the SANS Institute's presenters are escalating their criticism of organisations' lack of communication about their exposure to Heartbleed. Banks in particular came under fire, with special mention given to USAA, the United Services Automobile Association — both congratulation for issuing an advisory, but criticism for information that was "sub-standard".
"I want to clarify that this is one of the few banks that I've been able to locate one of the these statements for at all," Williams said. "We really appreciate the fact that they're taking measures against Heartbleed." But USAA's advisory note was apparently written by a PR person with no actual security knowledge.
"We have already taken measures to help prevent a data breach and implemented a patch earlier this week," the bank said. But according to Williams, the SSL certificate currently being presented by the bank was generated on 4 December 2012.
"Now, if they were indeed vulnerable, and they needed to patch, it scares me a little bit that they didn't re-issue the certificate after the patch. Definitely a 'Must try harder', a C-minus," Williams said. "They're leading the pack with mediocrity, and that should scare everybody in the room."
But do vulnerable organisations really need to revoke all of their SSL certificates, generate new private encryption keys and issue new certificates?
The issue, says Ullrich, is that Heartbleed is about memory leaks, data that's on the server — and some of that memory may contain the private encryption key.
"The key question about risk, therefore, is: What is the probability that an attacker will end up with the secret key? I don't care if someone steals a session ID. That was yesterday. That session had better no longer be any good.
"If someone steals a password, it's your password, it's not mine, so I'm fine ... If you used the same password for another site, not my problem.
"The chances of actually having the secret keys exposed is the highest just after the server starts up. That's when you have the secret keys most likely in the right location for it to be exposed."
Ullrich says SANS ISC has been receiving enquiries from systems administrators saying that they've patched their vulnerable servers promptly, and wondering whether they still need to regenerate keys and certificates.
"If you patched on the seventh, the evening the vulnerability came out, [US] Eastern Time, that argument I think may apply. If you had honeypots running on the eighth, scanning [for vulnerable servers] picked up really quickly against random sites.
"Before the seventh, if the exploit was known, it was known to a limited constituency. They probably didn't scan your personal blog, so you may be a little bit good there.
"If you didn't patch on the eighth, you patched on the ninth, your server was scanned. You can assume that someone tried to extract data. What they got, you don't know."
Many data leak prevention (DLP) systems don't monitor TCP port 443, the port used by HTTPS/SSL, because the data is generally encrypted anyway and DLP isn't going to work, Ullrich said.
However most certificate authorities (CAs) are allowing customers to revoke and re-issue certificates free of charge, at least within the validity period of the original certificate. StartSSL is one of the few exceptions, but even then, their fee for revoking and re-issuing a certificate is only US$25.
"What it comes down to is, is 25 bucks worth the risk?" Ullrich said.
"Overall, I would say you probably do want to replace your key if you didn't patch on the seventh [and] you can't go at least back a week through your data to double-check if the key has leaked," he said.
"Don't panic. Do it deliberately. That's the problem here, if you roll your keys quickly, you may not do it right."
Finally, Lyne warned that criminals are starting to take advantage of Heartbleed's high media profile.
"Through today, the cyber criminals really wised up to the fact that this was an interesting topic for the mainstream media, beyond being an interesting bug. So we've started seeing lots of spam messages about Heartbleed being used as a mechanism to distribute other malicious code and scams." he said.