Imagine waking up one morning, and discovering that even though you’ve been locking the front door, a window had been left unlocked… for the past two years.
That’s what the internet community discovered early this week. OpenSSL, a free open-source toolkit that provides the security foundation for encrypting communication, left a window open. A window was left open on every server running OpenSSL 1.0.1 to OpenSSL 1.0.1f, for two years.
An exploit, called the heartbleed bug, revealed that a simple programming error enables an attacker to read the contents of a 64kb chunk of server memory. Within those 64kb of memory, anything from passwords to private keys are stored. This exploit is unique because it requires no authentication, minimal sophistication, and can be distributed. The risk this exploit presents is unprecedented.
Renowned security expert Bruce Schneier, rates this bug on a 1 to 10 scale of severity, as an 11. Schneier goes on to say that due to the incredible length of exposure, even if patched we must assume that all private keys have been compromised, all passwords have been stolen, and anything really is vulnerable.
The mitigation prescribed by multiple leading experts is two-fold. First, the relatively low-cost update of server-side packages. Ironically, diligent updates of software inadvertently made this bug an issue. Second, re-generate compromised secret data, i.e. public/private key pair, SSL certificates, and every password. Let’s consider what this second mitigation achieves.
Netcraft reports that over 500,000 sites are vulnerable. The world now engages in a massive effort, of unimaginable cost, to reverse the effects of a careless coding error. And yet, even if all 500,000 sites are updated, all key pairs, certs and passwords changed, we’ve only returned to the state of internet security circa the end of 2011!
A window open for two-years closes, but the mitigation is not complete. We’ve seen the Android Master Key vulnerability, the Target breach, and now heartbleed demonstrate that once perimeter defenses are broken the crown jewels are exposed for the taking. Time after time, a breach occurs and a reactive mitigation is applied.
The heartbleed bug basically changes everything about what must be considered as viable attack surfaces for server side exploits. The internal data has now been proven vulnerable, and perimeter defense will only delay the next breach, in which the heart of the enterprise is exposed via memory scanning vulnerabilities again.
A layered approach that leverages security at the application layer is critical and obviously necessary.
Arxan’s Application Protection Platform provides binary hardening to protect the applications that manifest a business’s core assets – data and keys. Arxan’s unique application security embeds active Data Obfuscation Guards without changing server side code so that sensitive data, such as user credentials, passwords, or ids are protected from being sniffed out as a result of these memory-scanning attacks. Data obfuscation will render the contents of the memory useless.
Arxan’s durable key protection can also be directly embedded into the server side code and protects the critical data within server side logic before it is deployed. Enterprise server keys and certificates will then include self-protection from compromise, so that even if perimeter defenses are breached again and server side keys were pulled down, they would not be in clear/plain text or usable .
Clearly we must learn from the apparent misnomer that server side code is not penetrable from client machines. Moving forward and learning from the pain and costs of the heartbleed breach, the lesson for security professionals is that scanning of sever memory is possible and will likely happen again. Enterprise security strategies must to evolve from 2011 to incorporate additional layers of server side protection.
Arxan security experts strongly advise on deploying a holistic security solution to protect the ‘soft and vulnerable’ center of an enterprise so that once perimeter defenses (crusty exterior) are defeated, the internals, where data and keys can reside, are not left so very vulnerable and defenseless. Layering with Arxan’s Application Protection Platform hardens the soft and vulnerable interior of server-side memory, to mitigate enterprise risk and loss. This defense in-depth approach assures that even if another memory-centric attack, such as heartbleed, occurs valuable data and key, as well as significant breach-related costs will be spared.