The problem with being right is that it often happens at the expense of someone’s detriment. Consider for a moment… when was the last time you said, “I told you so” after something positive occurred? Over the last month, I blogged on the security risks of duplicating identities in web single sign-on and cloud identity management. My surprise in learning about the Heartbleed bug is not that I was proven right, but rather in the little time it took.
The OpenSSL Heartbleed security flaw is being called the biggest Internet security threat ever, because it impacts a staggering number of users and an estimated 1.5 million companies. This list includes subscriber giants like Google, Facebook, Yahoo, Instagram, Pinterest, Tumblr, GoDaddy, Flickr, Minecraft, Netflix, SoundCloud, YouTube, Dropbox, Github, Wikipedia, and Amazon web services.
According to Codenomicon, “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”
With public statements acknowledging Heartbleed vulnerabilities from cloud identity management companies Okta, Lastpass, Ping Identity, Dashlane, Dell Cloud Manager and NetIQ, concerns are warranted about the ability of identity management vendors to protect personal, sensitive and encrypted data.
This blog provides Avatier’s Heartbleed status. It gives a short explanation of the extensiveness of the security flaw and identifies how to research whether a website is currently vulnerable or was previously vulnerable to Heartbleed intrusions.
Why Avatier software is not affected
The Heartbleed bug results from a programming error in OpenSSL. Avatier software uses Microsoft’s Internet Information Services (IIS) and the .NET Framework for SSL and application development. The IIS framework is not impacted by the OpenSSL vulnerability, because it uses Microsoft’s SChannel for SSL communication not OpenSSL.
For this reason, the Avatier Identity Management (AIMS) web server is unaffected and Avatier users do not need to change their master password.
However, Avatier highly recommends that organizations always apply the most up to date software and security patches. We also recommend that business users routinely update their passwords.
What to do when a service is compromised
If you have an account with the companies identified, login and change your password immediately. In the event you later receive a message telling you to change your password, do it again. To fully apply all security patches, a company may have to apply several updates. This can take a few days. Some companies may also need to issue new encryption and decryption keys, which could take a few weeks or longer.
What makes Heartbleed so insidious
The Heartbleed virus enables an OpenSSL server to handover private memory space. This memory space also includes the server’s private key material. As a result, an intruder can collect the server’s private keys, the OpenSSL session keys, session ticket keys, and confidential user data including encrypted passwords.
These flaws allow an intruder to decrypt ongoing OpenSSL sessions, monitor and collect critical information. By collecting a server’s private keys, a cyber thief can obtain the server’s main private keys and potentially decrypt past sessions and impersonate the server without a trace. To ensure data security, companies must replace private keys and certificates for each service using the OpenSSL library. For every OpenSSL session from 2011 to the present, encrypted passwords and data collected during this period can be decrypted. If a company cannot verify an intrusion, they cannot claim your data was secure over a two-year period. They also cannot claim the Heartbleed security flaw is resolved, because it is indeterminable.
How to investigate Heartbleed vulnerable websites
You may have concerns about bank, online retail, and other websites. We recommend you start researching by reviewing the list of companies with known vulnerabilities compiled by
Mashable.
For companies not listed by Mashable, there are several tools to that can determine whether a site is vulnerable to Heartbleed security flaw by simply entering a URL.
Resources that can analyze a site’s vulnerabilities and history range from basic information to details about authentication, configuration, protocols, handshakes and cipher suites.
We recommend the following diagnostic tools beginning with basic diagnostic to more complex analysis:
- http://heartbleed.criticalwatch.com/
- http://filippo.io/Heartbleed/
- http://www.digicert.com/help/
- https://www.ssllabs.com/ssltest/
The lingering problem with the Heartbleed security flaw is the realization it represents just one unknown problem in one system. Without a doubt, Heartbleed does not represent an isolated case nor are such bugs unique to OpenSSL. Nevertheless, Heartbleed does reinforce why duplicating identities in the cloud and managing identities through an Identity as a Service (IDaaS) are filled with an indeterminable amount of risk.
Get Your Free Top 10 Password Management Best Practices Guide
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.
