This has been a fun week. We have not had a significant cyber event like this – something that affects just about everybody on the Internet -- since the Kaminsky DNS vulnerability of 2008. Everybody I know has been scrambling to understand what it means to their organization, to their business and to their immediate family. Yes, I said family. I am sure I am not the only one who has answered a question or two from his mother-in-law about how the Internet is melting down based on what she’s been reading in the press.
There’s a lot out there already about what Heartbleed means for the Web and beyond, and I’ll point you to our own analysis written by Scott Simkin or an essay by Dan Goodin over at ars technica for that explanation. Instead, here are eight things I am doing right now to protect Palo Alto Networks and my home (and mother-in-law) and that you should be doing, too:
- Don’t panic: Yes, this is a serious issue – and a vulnerability that has been available for exploitation for over two years. But the chances that hackers have successfully exploited you or your organization are pretty small. Check your trap lines for sure but let’s get on with the business of cleaning up in aisle nine.
- Monitor Palo Alto Networks IPS vulnerability Signature IDs 36416, 36417, 36418, 40039: For Palo Alto Networks customers, monitor IPS vulnerability signature IDs 36416, 36417, 36418, 40039 for signs of activity. We released those signatures on April 9 and April 10 and they can automatically detect and block attempted exploitation of the vulnerability. If you’re a Palo Alto Networks customer with an up-to-date subscription, you’re covered.
- Identify and patch your affected systems: I know that this sounds obvious, but don’t assume you know everything. Run local scanners across your network to discover any OpenSSL instances that might have popped up without your knowledge. Both client and server applications utilizing OpenSSL need to be updated.
- Ping your cloud application providers to see where they are in the cleanup process: Salesforce.com is one cloud provider that already announced that its systems are unaffected by this vulnerability. But you are probably using a handful of other cloud providers for other tasks like HR, Payroll, ERP, etc. Make sure you know who they are and ensure they are cleaning up the same way that you are. As Brian Krebs noted, one useful resource is Filippo Valsorda’s site to check for vulnerable systems.
- Get new keys: Acquire new key certificates, revoke your old ones and install the new ones. Because of the way the vulnerability works, hackers who have compromised your servers with this Heartbeat weakness may have stolen your private keys. Even after you patch your systems, these guys would still have your private keys. Get a new set of keys.
- Inform your customers: This is critical. Your customers should already be asking you if you have been affected (see No. 3), but there will be some that do not and will just assume you’re working on it. As a matter of trust, you should be transparent about your cleanup efforts. Do not shy away from this. Since this vulnerability is widespread, you will not be alone in your efforts and maybe you can help some other organization who is not as clear thinking as you are about how to do this cleanup. Customers always remember who acted swiftly and professionally in times of crisis.
- Change your passwords: Once you have patched your systems, changed your keys, ensured that your cloud providers also accomplished those tasks, then it is time to change the passwords for all users on those systems. But wait on this until everything else is done, because hackers who are hanging out on systems that have not been patched or systems where the keys have not been changed can still read your new password. It does not make sense to change your password until the other tasks are completed.
- Beware of the inevitable phishing campaigns: Soon you will start to see phishing email messages telling you that you must immediately change your password in order to protect yourself from the Heartbleed vulnerability. They will most likely have a link embedded in the message pointing you to a sight that looks very much like your ERP, HR or payroll site, but in fact, it will be a site cleverly designed to collect your credentials. Be wary of all communications.
If there’s a long-term consideration here, it’s to install perfect forward secrecy, as Twitter did last year. That ensures that a session key derived from a stolen private key and a collected public key in the future will not be compromised.