Heartbleed Especially Risky for SMBs


Every day brings new and scary disclosures about Heartbleed, a flaw affecting the popular OpenSSL data encryption that experts estimate is used by more than 60 percent of websites.

Tatu Ylönen, Inventor of SSH encryption and CEO of the SSH security protocol, explains the vulnerability well in an eWEEK piece: "An attacker can use it to obtain the encryption keys used by a website, allowing an attacker or spy agency to read all communications. It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the website, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases."

Yikes. Now that the vulnerability has been disclosed and widely disseminated – in a far more public fashion than is typical for these types of Web security vulnerabilities – companies are scrambling to implement a patch issued by the OpenSSL Project, the open source community that created and maintains a toolkit to implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) encryption protocols.

Many high-profile websites, including Yahoo and Google, have confirmed that some of their services were affected by the flaw. A Google product manager last week said the company had patched its Search, Gmail, YouTube, Wallet, Google Play and App Engine services.

While big companies with dedicated IT security staffs, like Google, likely will experience little difficulty implementing the recommended fix, smaller companies may not be so lucky. In many cases, such companies must rely on the companies that host their websites for them and/or outsourced IT teams to help them deal with Heartbleed.

Hosted Websites and Heartbleed

"If you have a hosted site, more than likely you are affected by this because most hosting providers use OpenSSL," said Paul Martini, founder and CEO of iboss Network Security.

A good first step for SMBs, Martini said, is determining if their sites need the fix. Unfortunately, he said, tests in his company's lab found that the Heartbleed test website being widely recommended online is not always accurate.

"We found that the tool in some cases said there was no vulnerability on servers that absolutely were affected," he said, noting that the tool looks for a "heartbeat" or OpenSSL version between an information system and a Web server and assumes there is no vulnerability if it cannot detect the heartbeat for some reason. And, he added, if the memory following the heartbeat has been cleared out, it will appear as if the flaw is not present – when it may well be.

Martini suggests that SMBs that do not run their own Web servers use the Google Chrome browser to access their websites and then use Google's developer tools to determine the kind of server used to run the site.  If the tools show it is the popular open source Web server Apache, "you should at least call your hosting provider," he said.

It is a good idea to actually check with hosting providers or contract IT teams to determine the Heartbleed patch has been implemented rather than assuming it has been done. "Do not just assume it's been updated," Martini said. "With some of these smaller providers, if a database isn't in the process of being hijacked they may assume it won't happen to them and kind of sweep it under the rug."

Companies should also ensure that their hosting providers obtained a reissued – or even better, completely new – digital certificate from the certificate authority that provided the certificate for their site. And they should ask if providers rebooted the Web server. "You have to reboot or reset the servers, or the patch won't be effective," Martini said.

Disclosing the Heartbleed Vulnerability

Companies of any size also have a responsibility to notify their customers of potential security weaknesses associated with Heartbleed, said Professor Jonathan Rajewski, director of the Leahy Center for Digital Investigation at Champlain College in Burlington, Vt. Rajewski said he was disturbed that "I am hearing about this from news sites like Mashable and not from sites that have my information."

While disclosures could certainly be a "burden" for small organizations with limited technology resources, he said they need to "ramp up and be as proactive as possible" about notifying users of the need to change their passwords after patches have been implemented, since any sensitive information protected by those passwords can now -- at least in theory -- be accessed by outside parties that exploited the Heartbleed flaw.

Though all sites have cause to be concerned about Heartbleed, it poses a more serious threat for some, Rajewski said. "If my site was just giving out geographic location that isn't private, I wouldn't be running down the hall to patch it," he said. "I'd be walking down the hall to patch it because it's good security hygiene. But if my site transmits private sensitive PII (personally identifiable information) or PHI (protected health information) data on networks, this is pretty serious."

Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.