You’re Not Out Of The Woods Yet….
If you’ve used one of the free Heartbleed checker tools on the Internet and your site came up “clean” for Heartbleed, you might think again before you breath a sigh of relief. There’s a good chance you haven’t really checked everything and there’s an even better chance your sites not free from exposure.
Some tools designed to detect the Heartbleed vulnerability are flawed and won’t detect the problem on affected websites, a cybersecurity consultancy has warned.
The Heartbleed flaw, which undermined the common security software for internet connections called OpenSSL, caused mass panic last week due to the ease with which it could be exploited to acquire passwords or encryption keys, potentially leaking sensitive personal data from popular consumer websites.
A deluge of tools then hit the internet promising to help people determine whether the web services they were using or hosting were affected. But 95% of the most popular ones are not reliable, according to London-based security consultancy and penetration testing firm Hut3.
A lot of companies out there will be saying they’ve run the free web tool and they’re fine, when they’re not, Hut3s Edd Hardy told the Guardian. There’s absolute panic. We’re getting calls late at night going ‘can you test everything’.
Most of the tools checked by Hut3 rely on code designed to highlight the flaw created by developer Jared Stafford, which itself contained problematic bugs, said Hut3 penetration tester Adrian Hayter. These included tools created by major tech companies such as Intel-owned security firm McAfee and password management provider LastPass.
Hayter uncovered three problems with the Heartbleed checkers, which could lead to many cases of sites remaining vulnerable. One of the issues was to do with compatibility with different versions of SSL, the Secure Sockets Layer kind of web encryption affected by the Heartbleed flaw.
“The Heartbleed Checker is designed to work with common system configurations found in the wild,” said Raj Samani, CTO for Europe, the middle east and Asia at McAfee. “There have been reports of detection failure rates of around 2.8% due to these configurations. We were aware of the possibility and have provided a disclosure directly above our checker.We are continually reviewing and revising our code and technique.”
Joe Siegrist, CEO at LastPass, said: “Unlike all other tests, LastPass is not actually attempting to exploit the bug to test if it’s currently present we’ve been unsure if that’s legal for a US entity to do.
“Our focus has been in ensuring people are updating/revoking their certificates, and that we’re reflecting what major organisations are saying about their exposure. Can you update or make a new certificate and keep the heartbleed bug in place?Sure, but that’s what all the other tests are for.”
“It is yet another symptom of the ‘hit the ground running’ approach that has characterised the response to this vulnerability,” said Rik Ferguson, vice president of security research at Trend Micro.
“The consequences are so widespread and the technology involved so arcane or invisible to the average user, that knee-jerk reactions and well-meaning advice have been offered up with little planning. From the initial Tumblr blog advising user to change all passwords everywhere ‘now’, before most of the vulnerable services would have been patched, to self-confessed ‘quick and dirty’ demonstration tools being incorporated intocomplete vulnerability scanning tools.”
“The key to success with protection and mitigation of Heartbleed is more haste, less speed – otherwise you may well be sitting in the comfortable haze of a false sense of security. Ignorance isn’t bliss, its dangerous.”