FUD vs. Realism

userpic=cardboard-safeYou would have to be hiding under a very big rock if you missed the two cybersecurity stories that have hit the mass media this week. For those unaware, I’m talking about the “death of XP” and the “Heartbleed” vulnerability. The level of froth is approaching that of a Starbucks coffee, so I thought I would try to impart a little realistic thinking.

When thinking about these problems — indeed, about any security issue — the following XKCD cartoon comes to mind:

In other words, discovery of the flaw does not necessarily mean exploitation. This is particularly important to think about with Heartbleed. Here’s some specifics: Heartbleed allows attackers to exploit a critical programming flaw in particular versions of OpenSSL—an open source implementation of the SSL/TLS encryption protocol. When exploited, the flaw leaks data from a server’s memory, which could include SSL site keys, usernames and passwords, and even personal user data such as email, instant messages, and files, according to Finland-based Codenomicon, the security firm that first uncovered Heartbleed in concert with a Google researcher. What I haven’t seen stated is any evidence that the flaw was being exploited before it was announced — in other words, even if the vulnerability was there, was it being exploited? Also not stated is the ease to which crackers would obtain the leaked data. I think there is some confidence that now that flaw is announced, it is being exploited.

[UPDATE: Later information shows that there may have been exploits based on this attack going on for the last few months. That’s the bad news. However, it looks like private keys may not have been exposed, except in a very short window. Further, what could be eavesdropped on with Heartbleed hacks is dynamic stuff, stuff that was allocated only moments ago. So, yes, it could be passwords, but those aren’t retained in memory for long, so I would think the likelihood of being able to catch a window with a password, and then identifying it as a password would be low. The article here gave a good explanation of how the Heartbeat extension was exploited: «Heartbeat allows a connected Web client or application to send messages to keep a connection active during a transfer of data. When a Heartbeat message is received, the server usually simply echoes back what it got to the sender. However, starting with the initial implementation of Heartbeat in OpenSSL 1.01 (and in all subsequent releases up to OpenSSL 1.01f, including the OpenSSL 1.0.2 beta) the extension could be fooled into sending back the contents of its memory buffer by sending a request that advertised itself as 64 kilobytes long but in fact had no content—resulting in “Heartbleed.” Any information still in that buffer from a previous session, such as decrypted usernames and passwords, could be obtained by an attacker in the response message.» So, the odds of getting a password would depend if the buffer from a previous session had usernames and passwords (meaning that ultimately, this was an object reuse/residual information error where buffers were not always cleared when they are allocated). This, friends, is why you clear on both deallocation and allocation. [ETA2: Another good explanation of Heartbleed may be found here.]]

What does this mean? You likely don’t need to change all your passwords, although regularly changing them is a good practice. The primary concern should be those sites you have used recently (remember, this exposes current memory, not passwords on disk), and sites where you have actually entered the password (the “keep me logged in” doesn’t expose the password on each access). When worrying about this, you should also factor in the value of the site itself — does it really make a difference if your password to read a support bulletin board system is exposed?

What I’m doing is guarded watching. I’ll make sure that financially-significant sites that I use have fixed the bug before I enter the password [ETA: Visit here to test a site]; if they are susceptible and I’ve used them very recently, I’ll think about changing things. Otherwise, I’m going to watch and monitor for reports of data grabs — and of course I’ll keep a close eye on credit card statements. As always, you should never use debit cards online because of the lack of protections. Other than that, good site guidance applies: change your passwords somewhat regularly, with a frequency appropriate for the information protected; enable two-factor authentication if you can; connect securely if you can to thwart casual eavesdroppers.

The other big FUD in the news is the “death” of Windows XP. This really isn’t a death: basically, the last patch release was yesterday, meaning it really isn’t out of date until the Patch Tuesday in May. But Microsoft has a vested interest in getting you to switch now, and so they have been pushing the date with the media. Should you worry? Yes and no.

There is likely greater risk in this case: XP has been in the wild for years, and there are many zero-day attacks just waiting for the lack of maintenance. This is a big concern if you are an organization likely to be targeted by an adversary. I cringe everytime I walk into my local YMCA and see XP still being used. But for an individual?

If you are an individual on XP, I think you should start thinking about a transition plan to Windows 7 or Windows 8.1 update. There are some good financial incentives, and reports are that the new 8.1 update is much better for the desktop than the original 8 or 8.1. Panic isn’t warranted, however, if you practice good hygene: run multiple malware scanners and keep them updated; remove administrator rights from any accounts used to access the internet or that uses external USB media; shutdown, hiberate, or suspend the system when you are not actively using it; limit the activities you do on the system; and if possible, keep it behind a hardware firewall or NAT. I have an XP system that I’m using as a print server, and that’s what I’m doing.