OpenSSL + Heartbleed = Change Your Passwords For Google, Yahoo, Facebook, etc.

So you probably have already heard of the OpenSSL Heartbleed security issue. If you haven’t, I’ll give you a quick run down of what it is and what it means. If you have, I will still give you my quick version from my research.

And what you need to do next

And other resources

Read on!
heartbleed openssl

Heartbleed and OpenSSL For the Impatient

What is Heartbleed?


Sponsored Links

It’s a security hole which at its worst will allow someone to peek at your confidential data.

The easiest way to think about Heartbleed is to imagine me looking over your shoulder as you type and writing down every single thing you are typing. Whether it’s your password, your cc#, or whatever.

What sites did it affect?

If you’re paranoid, you can think that any site you have ever accessed using “https://” is affected. Considering it’s good practice to change your passwords often on websites anyway, it might be handy for you to think this.

But make no mistake, this affects MANY sites. Some sites compromised include:

  • Instagram
  • Facebook
  • Gmail
  • LinkedIn
  • Yahoo
  • Google
  • Twitter

And many more.

Okay what do I do now?

The easy and best plan:

  1. Go through your list of sites you access using https. You can try to do this all in one shot OR you can do it as you access them (like at different times of the month when you pay bills)
  2. Check to see if your site is vulnerable by heartbleed
  3. If it is not, change your password
  4. If it is, mark it down to be checked back later. once it is no longer vulnerable, change the password.

Remember: do not change your password on a site currently affected, because no use changing your password on a site that can still be compromised!!

How do I check my site?

A list of the most popular sites are already cataloged here:
The Heartbleed Hit List: The Passwords You Need to Change Right Now

Another list you can find in this thread of more sites
GitHub’s Top 10000

To check a specific site, enter the URL in this tool
LastPass Heartbleed Checker

What do I do long term?

Well, eventually I recommend that you to change all your passwords. Whether it was on a vulnerable site or not, since you will need to go through this anyway, might as well do it now.

It is a great practice

And might as well use this exploit to do it.

Remember: do not change your password on a site currently affected, because no use changing your password on a site that can still be compromised!!

Choosing Good Passwords a.k.a. How To Crack A Password


Sponsored Links

There are a lot of great articles on how to create a good password. There is no shortage. I do have some special insight on good password selection as having worked as a linux/unix guy for quite some time, I have been asked to attempt to crack our users passwords from time to time for security reasons and I have a good idea how cracking works.

There are two ways your password can be exposed: “guessing” and “cracking”.

“Guessing” as you can “guess” (haha) means someone tries to guess your password based on knowledge about you.

Cracking is a brute force method to guess a password based on a dictionary. And focuses on guessing numbers or alphanumerics around dictionary words.

Dictionaries can be customized (I can add my own words into it). They are usually case sensitive (so while I might have the word “guess” or “Guess” in my dictionary, I may not include “gUeSs“).

A great example:

Since Cracking is centered around a dictionary, something like: “9yau9yau9″ is harder to crack than you’d think.

It might be easy to GUESS if you know I like the number 9, but a Cracker doesn’t have that knowledge and to a Cracking program that is pretty complex because it’s five elements: numeric-word-numeric-word-numeric.

I greatly increase the complexity to a password Cracker just by adding another set to make it: numeric-word-numeric-word-numeric-word like “9yau9yau9yau”.

Hopefully that gives you a good idea how password Cracking works.

Wait..so if I have a good password, Heartbleed doesn’t affect me?

Heartbleed affects everyone. Again, the easiest way to think about Heartbleed is to imagine me looking over your shoulder as you type and writing down every single thing you are typing. Even if your password is complex, I’m there writing it down.

Choosing good passwords is just a helpful way to protect you in general.

How To Choose A Good Password:

From that, my specific way of choosing passwords

  • Make sure there is at least one uppercase and one lower case letter. And prefer at least one uppercase NOT as the first letter. i.e. “gUess” is better than “Guess
  • Make sure there is at least one number
  • Make sure there is at least one alphanumeric (a non-number and non-letter like the “#”
  • If you must use dictionary words, use more than one and put numerics or alpha-numerics in between. “9my9password9” is better than “mypassword9” or “9mypassword9
  • Better: Use at least one non-dictionary word. For example, a password of “#Dictionary01” while meeting the above requirements can still be cracked. Instead you could do “#Dict01ionary
  • Remember dictionaries can be customized. So a commonly known word or even acronym NOT in the dictionary can still be added to a custom dictionary. So for example “ermahgerd” is not in a dictionary, but it is common enough that if I were to try to crack a password I would be adding “ermahgerd” and “Ermahgerd” to my cracking dictionary.
  • Base it off of something in regular language to make it easy to remember
    • One way: split a dictionary word up (as I did above). I split up the word “Dictionary” into “Dict” and “ionary” and placed a “01” in the middle
    • Best way: think of a sentence and use the first letter of each sentence. However, do not choose a popular one. For example “HIMYM” (How I Met Your Mother) is a popular acronym and can be used easily in an attack by adding it to my custom dictionary. However, “istadsisc” is not a popular acronym (and represents the sentence “i shower twice a day so i stay clean
    • Replace various letters with numbers or alpha numerics. Some easy examples
      • “1″ for “i”
      • “@” for “a”
      • “$” for “s”
      • “2″ for “to” or “too”

As an example, I could use “I shower twice a day so I stay clean” to the password
Istadsisc
and then
I$2adsisc
or
I$t@dsisc
or
I$t@dsisc!!!” (which makes it harder, plus I’m that excited about showering!!!)

More about Heartbleed

What is Heartbleed?

Specifically it is a security problem in the OpenSSL software suite. When exploited, it can reveal up to 64k of whatever is currently in memory. So if you hit the unlucky jackpot, that means your password or even credit card information happened to be in that 64k of memory.

Of course this exploit can be used over and over again to get access to a stream of memory.

Unfortunately, when exploited, no message of this exploit shows up so it is not easy to tell if and when a server has been exploited.

What is OpenSSL?

OpenSSL is an open source implmenetation of SSL

What is SSL?

Easiest way to think about it, SSL is a security software layer used for encryption. Any web site that you go to using “https://” uses SSL for encryption

Who uses OpenSSL?

Not all “https://” websites use OpenSSL.

If a webserver runs on Windows (IIS specifically), there is likely no issue as the default configuration uses Microsoft’s own implementation of SSL and not OpenSSL (more about that here: Information about Heartbleed and IIS)

If a webserver runs on Linux or Unix, it is likely the SSL implementation is OpenSSL.

Note: this is on the server side, not on the user side. So it is not relevant what computer you are using to browse the internet. It is relevant what the computer serving the web pages to you is using.

Not all OpenSSL is affected. Specifically, the versions affected are OpenSSL 1.0.1 and OpenSSL 1.02-beta. (see OpenSSL security: OpenSSL Security Advisory Apr 7 2014)

OpenSSL 1.0.1 came out March 14, 2012, so for the paranoid types, any website you hit using “https” from March 14, 2012 is possibly vulnerable if they installed this version of OpenSSL. (You can check OpenSSL versions release here: OpenSSL on Wikipedia)

So again: what sites were not exploited?

  • Any site not running OpenSSL (most notably windows web servers)
  • Any site that did not upgrade to OpenSSL 1.0.1 (and stayed at OpenSSL 0.98)

And for you techie types…only https and not ssh

While the most common way people will come into contact with OpenSSL is through a website via https, openssl is used by a lot of software programs.

A big example applicable to me: OpenSSH uses OpenSSL. That means any server I would ssh to or winscp/sftp to runs over openssl.

However, we’re in luck. The OpenSSH server (sshd) is not affected by the OpenSSL Heartbleed bug. The Heartbleed bug affects OpenSSL’s libssl.so (which implements TLS/SSL and DTLS protocols). OpenSSH server uses the libcrypto.so cryptographic algorithms.

(reference: https://access.redhat.com/site/solutions/786603)

You can find out what is using libssl.so with this command on your CentOS/Redhat systems (and something similar on other unix/linux systems)


# lsof | awk 'NR==1 || $0~/libssl.so/'

From there, be aware of which version of openssl you are running.

An example:

linuxbox# lsof | awk 'NR==1 || $0~/libssl.so/'
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
master 4468 root mem REG 8,3 248116 291103 /usr/lib/libssl.so.0.9.8
qmgr 4498 postfix mem REG 8,3 248116 291103 /usr/lib/libssl.so.0.9.8
httpd2-pr 4550 root mem REG 8,3 248116 291103 /usr/lib/libssl.so.0.9.8
pickup 24412 postfix mem REG 8,3 248116 291103 /usr/lib/libssl.so.0.9.8
httpd2-pr 25615 wwwrun mem REG 8,3 248116 291103 /usr/lib/libssl.so.0.9.8
linuxbox#

Notice my web processes and a few others that use libssl.so, but also the version I am running is openssl 0.98 and not either of the affected versions openssl 1.01 or 1.02 beta.

And for you techies that use a lot of other appliances (Barrucuda, Cisco VPN, Juniper, etc.) I found this to be a pretty good list of things you will need to check.

https://www.cert.fi/en/reports/2014/vulnerability788210.html

As an example, I know F5 BIG-IP LTM is very popular and at the head of the field. According to the list, F5 BIG-IP LTM versions 11.5.0 – 11.5.1 is vulnerable to heartbleed. Check the list, it’s good my sysadmin peeps! :)

And for peace of mind ..

This exploit was discovered by a combination of efforts from the Google security team and other security researchers. It is not known if anyone has actually exploited this yet or not.

Also, once the exploit is remediated, you are “safe”. The hackers cannot peek into the memory of the web server computer. They would have had to have grabbed your info while the exploit was still available.

What’s next?

It’s a good practice to change all your passwords periodically anyway. So what’s next is exactly the same steps I listed above

  1. Go through your list of sites you access using https. YOu can try to do this all in one shot OR you can do it as you access them (like at different times of the month when you pay bills)
  2. Check to see if your site is affected by heartbleed
  3. If it is not, change your password
  4. If it is, mark it down to be checked back later

More Resources

There is a ton of info out there now (and I’m adding to it aren’t I?)

Here are some good reading links:

What You Need To Know About Heartbleed, A Really Major Bug That Short-Circuits Web Security
How to Protect Yourself From the Heartbleed Bug
Your Heartbleed Bug Questions, Answered

Here are links to help you check what sites are affected

The Heartbleed Hit List: The Passwords You Need to Change Right Now
GitHup Top 10000t
LastPass Heartbleed checker

Geek

Leave a Comment

Your email address will not be published. Required fields are marked *

Spam protection by WP Captcha-Free