It’s been more than a week since news of the Heartbleed flaw launched a frantic scramble on the Web, but security professionals’ palpitations haven’t subsided.
The OpenSSL Software Foundation has issued a fix, and Google, Cisco, Juniper Networks, Akamai and hordes of other companies have begun patching their products.
The open source community “reacted very quickly to the vulnerability, which is good,” Diego Sor, head of security consulting services at Core Security, told TechNewsWorld.
Predictably, scammers and spammers have climbed onto the Heartbleed solution bandwagon, and legitimate companies are using the term as a marketing hook.
Also predictably, news that the NSA has been exploiting the flaw has made the headlines, thus ensuring we know our tax dollars are at work and providing further proof it will investigate every little crook and granny.
Some experts urge consumers to change their passwords at once, while others, equally expert, suggest consumers hold off until those running the websites they frequent — banks, email system providers and so on — have made their own changes, so passwords won’t have to be changed yet again.
So, who and what is at risk? And who’s responsible?
What Is Threatened
“Companies running services that rely at some point on OpenSSL might have been affected for the past two years,” Martin Gallo, senior security consultant at Core Security, told TechNewsWorld. “As OpenSSL is the main security technology for the majority of the services running online, the impact is high.”
End-user software also might be vulnerable, as the issue affects the client side of SSL connections using the OpenSSL library, he pointed out.
Systems potentially at risk, according to SANS, include the following: smart TVs, appliances and exercise equipment; Android smartphones, especially those updated by the carrier rather than by Google; database software; and cloud service clients.
Only devices running Android 4.1.1 (a version of Jelly Bean) are affected, according to Google, and a patch for 4.1.1 is being distributed to its partners. Why other versions of Android are immune is not clear.
Google did not respond to our request for further details.
Client applications reported to be vulnerable include MariaDB 5.5.36, curl 7.36.0, git 1.9.1 and OwnCloud.
Some Patches Being Issued
Just about every website is working on a patch.
Cisco has issued a response and will provide new information about Heartbleed as it becomes available, company spokesperson Nigel Glennie told TechNewsWorld.
Google has patched most of its services and is working on the rest.
Juniper Networks also has published a response.
BlackBerry is working on a patch, and McAfee is offering solutions.
Akamai Recovers After Stumble
Akamai issued a patch that a researcher discovered had flaws, which the company noted.
Akamai is rotating all customer SSL keys and certificates, but it can’t pin down a date for completion because “many of the certificates our customers use require extra human validation — Extended Validation certificates — or are issued by CAs (certificate authorities) under the customer’s control,” Andy Ellis, its chief security officer, told TechNewsWorld.
Who’s Gotta Pay?
“One of the main challenges [to remediation] is that OpenSSL is usually used in systems that are not easy to patch, such as embedded or network devices,” Core Security’s Gallo pointed out.
Fixing the problem can be expensive, as the costs will range from the patching of servers and workstations to issuing and deploying new certificates, he said.
That brings up the question of who should foot the bill for this work.
“Implementation and distribution are the responsibility of people who take and use the code developed by the OpenSSL Project,” Steve Marquess, president of the OpenSSL Software Foundation, told TechNewsWorld.
“My understanding,” said Core Security’s Sor, “is that if a commercial company adopts an open source technology to develop their products, they are responsible for its ultimate security.”