For the record, I am not a security expert. However, I have been working as a professional for over 32 years in the I.T. industry so I believe I can make comments on a number of items about Heartbleed.
Please try to remember is the internet was not designed to be secure. It was originally designed for universities to communicate and they trusted everyone on the network. Over the years bits and pieces were bolted on to help with security as the internet grew and was opened up to more and more businesses/people.
A bit of background about myself:
- I have a diploma in Business Administration, Programming major.
- I can work in Assembler (PC and mainframe versions), APL, AWK, Bash, Basic, C, COBOL, Pascal, PL/1, and REXX in various levels of expertise. (there are others that I have used, but, I have minimal knowledge of those languages)
- Over 32 years I have worked on dozens of software projects large and small. I performed a number of roles during this time such as developer, tester, business analyst, support and team lead.
- Where I am currently working my role is interface expert for systems requiring access to to that system. At this time the client is moving from FTP to SFTP and as a result I have obtained a working knowledge about SSH, SSL, certificates and private/public keys.
- I can work with CP/M, DOS, Windows, Z/OS (AKA TSO), V/VSE, UNIX and Linux.
First thing, don't panic!
Second thing is don't change all of your passwords until the sites have updated their SSL and received new certificates. Changing them right now probably will not protect you if the site site has been compromised. When the site asks you to change, or, when they fix the site then change it ASAP! Pick a moderately long password that is not easily guessed (no kids/pets/wife names/birth dates). I usually pick two or more words not related and string them together with numbers to make it harder to guess. One other important thing is never use the same password for different sites! If you do get hacked, don't make it easy for them by using one password for everything. You also should change passwords on a regular basis.
I was reading the news and some of the politicians here in Canada blame the government service cuts for this problem. In my less than humble opinion this is complete utter BULLSHIT! This problem has nothing to do with the government in any way, this is a very short code change in one OpenSSL module by a person several years ago and it passed a review before being deployed. When I looked at the code fragment identified I didn't see any problem with it other than why do it just for performance reasons? This is something that is usually bundled with the operating system if not then offered as an add-on for secure communications. There was no reason to check this and no way to know there was a hole. The blame is just cheap political theater and does not do anything to help fix the issue.
For those who are saying "why publish it, you are creating panic and letting hackers know about the hole?" All I can say is:
- True hackers (not script kiddies) probably knew about this and were making use of the hole. Until recently there was no way the sites would be able to detect use of the hole and log the attempts to compromise the security of the system. There are now signatures to help IDS identify possible hackers using the hole.
- Various experts wanted to inform the general public about the issue and what they need to do, when to do it and how to do it. These researchers who found this hole assumed hackers already knew about it!
- Alert site owners who are using SSL to look at their operations to see if they are impacted and to determine their next steps to fix their systems if they are vulnerable.
- If the site was compromised then the safest thing is to assume that all encrypted communications can be read until they fix the site, revoke their old certificates and publish new certificates. If you are aware the site has been compromised you can make informed decisions as to if you want to communicate with that site before a fix is in place.
I have seen others asking why some sites (like some banks) say they are OK. We will need to trust those sites there, but, the likely reason is that they are not running the impacted OpenSSL module. It would help if they could give a high level reason why they are not impacted.
- For businesses you may want to review your BR/DR (Business Recovery / Disaster Recovery) plans to see if this type of problem is identified. If not, then take the time and review the documents and insert what steps should be followed if there is a suspected breach in your network.
- Software code reviews are a great way to identify potential problems before it is released. The reviews may not catch all bugs, but, it helps confirm that good coding practices are followed at a minimum.
- Security should be considered at the start of any code change. It does add extra work and cost, but, it is easier to fix a bug before it gets out the door. A process and set of test rules may also be a good way to check for specific errors. There are packages out there that could be useful to the developers if management is willing to invest a wee bit of money.
- Never let marketing dictate the timeline of a project, or, how the software is developed/tested.
- Default settings for software should by default tend to be more paranoid and lock things down. Explain each setting and the possible holes they may open up if they are changed.
- Never have a default password, on install ask the end user what their password will be.
- For users, never re-use your password!
Other thoughts:Can this happen in the future? Optimistic me says no, realistically speaking it just may happen again. Try to remember that a lot of the Open software is written by people who does this for the love of programming and don't get paid full time to do this and many do it without getting paid anything. Many of the tools you are using are written by these people and the result is the wonderful rich online environment we have today. The downside is they don't get a lot of money to pay people to do full time work where they can check for holes, review code checked in and improve the infrastructure we call the internet.
For those who say proprietary is better as they get paid my response is you don't know what the proprietary code does as we cannot review their work. With open software we can review the code itself and in many cases make changes ourselves, compile those changes if we have a special case, you can't do that with proprietary code.
What can we do? Well pull out your wallet and give a wee bit to the developers of the free software you are using would be a start. Hopefully politicians and businesses see the benefit of funding a core set of people to work full time reviewing the core of the internet and make improvements as we are now dependent on the net for more and more of our daily lives.