When the Heartbleed bug first came to light, security expert Bruce Schneier accurately asserted, “On a scale of 1 to 10, this is an 11.” For years, it was thought that the OpenSSL encryption denoted by the “s” in HTTPS was keeping sensitive information safe from prying eyes and the malicious intents of cyber criminals. Heartbleed blew that false sense of security out the door, and quickly.
The implications for consumers and enterprises alike were frightening at best and potentially catastrophic at worst. Fingers were pointed, security tokens and certificates were revoked and renewed, and once again, experts wasted no time analyzing how such a wide-scale vulnerability was possible to begin with and escaped detection for so long.
However, if there is an overarching lesson to be taken away from this security nightmare, it's this: There is no one technology that can be relied upon to comprehensively protect sensitive data, corporate networks or private communications.
Why was OpenSSL so popular?
Secure sockets layer (SSL) and transport layer security (TLS) are widely used protocols that secure a wide range of communications across the Internet, from instant messaging to remote access, and Heartbleed is a vulnerability specific to an open source implementation of these protocols aptly called OpenSSL. The bug gets its name from the nature of its attack, which involves piggybacking on an OpenSSL feature known as heartbeat that enables the client and server to check each other's availability. By exploiting this susceptibility, cyber criminals can potentially compromise users' cryptographic SSL keys, making what should be encrypted communications appear in plain text. But the obvious question here is – why is OpenSSL such a popular form of encryption to begin with?
Because it's open source, enterprises do not need to focus as many resources on the development and maintenance of SSL encryption. Consequently, there's very little overhead associated with an OpenSSL implementation – an enticing feature for budget-constrained IT departments. Further, up to this point, it was widely regarded as a quality product that delivered good security. It even had its own certifications from the government.
But as Target learned the hard way this past holiday season, the bigger you are, the bigger target you become. And that can be dangerous.
According to Dark Reading's Mathew J. Schwartz, researchers at Mandiant revealed that they spotted a successful VPN-targeting attack that began on April 8th, just one day after OpenSSL issued a public security advisory.
“The attacker repeatedly sent malformed heartbeat requests to the HTTPS Web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” said Mandiant technical director Christopher Glyer.
Using an active session token, the attacker was able to successfully convince the VPN concentrator that they were legitimately authenticated. And, once the attackers had infiltrated the network, they attempted to escalate their privileges within the victim's organization.
It's evident from the ongoing aftermath of Heartbleed that relying on a single security technology, be it OpenSSL or another, is not an efficient mobile security plan.