Today, I want to talk about some of the media hype related to the Heartbleed vulnerability. It’s important to first state that this is a critical vulnerability, one that both enterprises and consumers need to be aware of and, for which, patches MUST be applied. That said, the vulnerability has been overblown in several media channels and it’s worth stating the counterpoint to the hype that is out there.
Last week, everybody was jumping all over Heartbleed and I don’t expect the attention to go away anytime soon. The problem, though, was the response from mainstream media. News Outlets, Late Night Talk Show hosts, and Morning Shows were all discussing Heartbleed and relying on their “new media experts” to provide real details.
These are the people that find interesting Twitter posts and maintain the television shows’ Facebook page. They are not the people that should be providing security advice to consumers. The most popular comment I heard last week from these “experts” was “make sure you change your password”. There was plenty of other FUD about how mobile devices (because those are popular with consumers) were impacted in additional ways as well.
The facts are pretty straightforward:
- All devices are equally impacted when interacting with vulnerable services or running vulnerable clients
- Until this week, we hadn’t had confirmation that the leakage of private keys was even possible. Even though it is, it requires a large number of requests that any IDS/IPS should detect
- There’s more risk in changing your password on a vulnerable site right now than there is in leaving your password alone until it is confirmed that the service is patched.
The third bullet point is, by far, the most important one. If a site is vulnerable, you are increasing the chances of someone seeing your password by potentially changing it while someone is actively dumping memory using this exploit. You should use a service like the LastPass Hearbleed checker to confirm if a service has patched before changing your password.
In the end, the leakage of a private key doesn’t greatly increase risk for the average home consumer. If you’re a regular user of public Wi-Fi (coffee shop, hotel, transit), then the risk is greatly increased but if you’re using your home computer on your own connection — or your phone’s data plan — the risk is minimized by quite a bit.
If you are using public Wi-Fi, be increasingly careful until you know every service you use is patched. The odds of people having stored packet captures of your interactions that they can go back and decrypt are incredibly unlikely.
Everyone talks about educating the user but part of user education puts the onus on the security industry to properly level set. If we cry wolf with every vulnerability, we’re simply doing end users a disservice. As I originally stated, this is a critical issue that must be fixed but for the average consumer the latest Flash and IE 0-days still pose a greater risk than Heartbleed.
- Heartbleed and Your SOHO Wireless Systems
- Stopping the Heartbleed
- Detecting Heartbleed Exploits in Real-Time
- How to Detect the Heartbleed OpenSSL Vulnerability in Your Environment
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock