[SingCERT] Updates for OpenSSL Heartbleed Vulnerabilty for End-Users
Published on Monday, 14 April 2014 18:00
[ Background ]
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows the stealing of protected information and allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
[ How are you affected?]
- Information such as user’s username and passwords might be stolen.
o Attackers exploit the vulnerability by sending tons of attack traffic to vulnerable services, to get parts of the information in the servers’ memory. The servers’ memory changes frequently, but by taking many snapshots of this random memory, with any luck, it could contain usernames and passwords and other useful information. If for some reason, the vulnerable server is processing your information (eg. processing your login, or loading your emails for your viewing, etc) while this snapshot is taking place, the attacker may get a glimpse of your information.
[ Points to note and recommended actions for end users]
- End users are advised to wait for instructions from their service providers who need time to secure their systems and services. Once the fixes are in place, service providers will notify their users to change their passwords immediately. It does not help to change passwords before the fix is in place. Please follow the instructions given by the respective service providers.
- End users are advised to avoid visiting the websites that are vulnerable to the Heartbleed bugs.
- Note that not all websites which have implemented https are vulnerable. OpenSSL is one form of open source implementation of SSL. There are other commercial forms of implementation of SSL which are not vulnerable to Heartbleed. There are also versions of OpenSSL which are not vulnerable at all.
- Some vulnerable services may have mitigation measures already in-place. Eg. If services have implemented two-factor authentication (2FA), then it would mitigate a leaked password
- There are now online tools available to determine whether a service is vulnerable to heartbleed vulnerability. Please search online for “check heartbleed online”.
- End users are advised to exercise standard "safe computing" practices: use strong passwords, keep your systems updated with the latest patches, use anti-malware solutions, be cautious of links distributed via e-mail.
- End users are advised to heed the instructions of their service providers on precautionary or remedial actions, if any.
Note: News of Heartbleed bug is circulating online and can be manipulated for phishing and scamming purposes. As a precautionary measure, avoid responding to emailed invitations to reset your password. Instead, visit the site, by either using a trusted bookmark or searching for the site in question. When in doubt, contact your service provider for validation. Bear in mind that service providers would never ask for your login credentials over email.
[ References ]