By now I’m sure everyone’s seen the stories all over the news about the newly-unveiled OpenSSL exploit. If not, here’s an excellent write-up of the situation from Symantec.
As always, patch and move on. If you run a publicly-surfaced secure operation, you may consider obtaining new SSL certificates, but that’s probably overkill. You can judge for yourself the need based on the security level of your operation.
Basically, the exploit allows hackers to read areas of memory not intended to be read and which might contain anything from useless garbage to the private encryption key used to decrypt communication sent to the server. Unfortunately, the exploit has been possible in the wild for years (since March 2012, I believe).
Obviously it’s a reasonably severe bug, and yet its existence is not overwhelmingly surprising. I suspect many such bugs are present in the open source environment whose strength lies not in the quality of any one product, but in the resilience and persistence of the community in said products’ development. Everyone will move on, and the I suspect there will be increased scrutiny applied to critical system libraries going forward.
Lots of family and friends have been asking my opinion on whether or not they should abide by the mainstream media recommendations to change all account passwords in response to this issue, and I’ve honestly been suggesting that they simply adhere to their current password changing scheme (as if one exists). Though there is a potential for disastrous implications, this bug isn’t as severe as many people are making it out to be. Can it be used to acquire very sensitive data? Yes. Is there any evidence that this has occurred? No. Is it likely that it has been used to compromise your accounts? No.
If you read the Symantec write-up, you understand that the process involved with the exploit is kind of a crapshoot, actually, and the hacker(s) involved must sift through memory data trying to locate something important. One can hypothesize that advanced, persistent threat actors could have devoted the resources necessary to automate a data mining process and achieve some serious success against targeted systems, but standard-issue criminal fare is unlikely to have understood and effectively used this exploit.
It’s hard to tell, of course, given the relative lack of evidence left behind by an attack, but we don’t have any big system intrusions which occurred under mysterious or inexplicable conditions that might be explained by this. I’d be more surprised than not if I were to find out that the NSA hadn’t been exploiting this regularly to spy on us all (a highly trained, government-supported hacking crew wouldn’t have needed much time to find this bug in the open source code), but with this flaw patched, I would again be more surprised than not if I were to find out that they weren’t simply moving on to the next, yet-undisclosed flaw which allows them to see what they want to see.
But unfortunately we can’t choose our actions based on concern for the behavior of the NSA in this respect. Don’t get me wrong, I think it’s good that we’re having public discussions about appropriate boundaries and purposes for the organization and all (and I quite vociferously oppose any action which undermines public trust or security, which includes sitting on known security flaws and using them to quietly subvert secure systems), but the fact is that, currently, they’re unlikely to do anything nefarious with the data they scoop up from little ol’ me, unlike less-organized, less-well-funded, and less-capable criminal organizations who would be glad to hawk my personal information for a few bucks. Additionally, as I wrote above, it is incredibly unlikely that resolving this one flaw will be much of a hindrance to their vast capacity for spying on every one of us.
And this is why my advice is to simply patch and move on with your lives. Maintain adherence to best practices, changing passwords regularly, and use whatever network monitoring features you can to safeguard any server systems you may have set up, yourself. Asking if you should change your passwords in response to this issue is kind of like asking a doctor if you should exercise in response to a recent flu outbreak. The proper response is probably that you should simply stick to your current regimen. If you don’t have one, you should take this as an opportunity to create one.
The idea (batted around on ZDNet here) that the government could or should fund open source initiatives of such importance as SSL code is a good one, if you ask me, but we must first deal in a satisfactory manner with the NSA “scandals” regarding our cryptographic systems. There is not overwhelming evidence that the NSA has been engaged in subverting public systems (the recent debacle over the Dual Elliptic Curve system is entirely speculative based on characteristics of the system’s design and some maybe-shady-maybe-not money exchanges, with no one successfully demonstrating a means by which to reliably compromise dependent systems) but we need to increase public trust if we decide to move forward in such a manner.
We’re in a bit of a mess these days, and as usual, technology is both part of the problem and part of the solution. As our technical power increases, individuals find themselves with greater and greater capacity to make real their purposes, and where those purposes are malicious, the world is increasingly dangerous. The necessary response is the superior understanding and wisdom required to properly engineer technologies so that they are even more fecund for the peaceful and righteous than the chaotic and malicious. As the former is typically, if not always, more difficult than the latter, we have to keep on moving forward.
It is in this spirit that I began this blog, and I hope to get to more on this subject as I move forward. I intend, for example, to cover the installation and configuration of a network monitoring solution for one’s home (though running the dd-wrt firmware necessary to provide the rFlow/NetFlow functionality required thereby gives me more than a little trepidation). Beyond properly configuring one’s systems with best-practice security measures and leading AV clients, learning how to observe, monitor, and understand network traffic is invaluable to the individual trying to make his or her way through the modern technical landscape. In defending against zero-day threats and advanced persistent threat actors, the best hope held by an individual is in his or her own faculties. Understanding and monitoring the communication to, from, and between one’s systems is a huge step forward for the individual sailing the seas of the Internets.
Additionally, I plan on providing solution maps on this blog which give a high-level overview of how the posts are connected in pursuit of common ends. Some IT cartography is needed so that my fellow travelers are well-informed. If we all go forth in honest, good faith, and we record and share our journeys, we will outstrip those who would see us waylaid.
Anyway, just a little security chat and a preview of coming attractions!