Heartbleed – What You Need to Know

The Heartbleed bug is the biggest thing to hit the security world for a while.  So what do you need to know about this bug?  Anitian has a quick summary.

What is Heartbleed?	It is a bug in OpenSSL, a common encryption library used on web servers.
Is it bad?	Yes, but no worse than other serious bugs that are reported everyday.
What is affected?	Any server exposed to the Internet that uses the OpenSSL library. Mostly Linux and BSD systems. Windows IIS servers are largely unaffected (unless they have some special OpenSSL implementation.)
Are hackers actively exploiting this?	Yes.
What do I need to do to stop it?	Patch affected systems.  Update your IPS signatures to detect and block it.
I can’t patch! My management or my vendor won’t let us patch.	Then you will get hacked. Good patch management (especially third party applications) is a best practice. If you do not have a good patching system, then you have bigger problems then Heartbleed.
Where do I get patches?	Vendors are aggressively releasing patches.  Visit your vendor’s sites. https://heartbleed.com has a list for some.
IPS signatures?	Nearly every decent IPS can detect and block Heartbleed at this point.  This is why a good IPS is such an important part of a security program.
Can we blame Microsoft?	No
Can I blame the NSA?	No
Can we blame the open source community?	No
Can we blame the Chinese?	No
Who can we blame?	Nobody. Blame is a useless effort.
Why did this happen?	Bugs are a fact of life. It is an accident in coding, not part of some massive conspiracy.
Do I need to read long-winded whitepapers full of source code to understand Heartbleed?	No. You can visit https://heartbleed.com and get a basic overview of the technical details.
How do I know if I am vulnerable?	Qualys has an awesome free testing tool: https://www.ssllabs.com/ssltest/
Should I rush out and blow a massive wad of money on new security appliances?	No
Should I change all my on-line passwords?	Optional.  It is best practice to change important passwords regularly (like every 90 days.)  It is highly unlikely that your credentials are compromised due to Heartbleed.  It is much more likely that malware on your own PC would cause that.  As such, you would be better served upgrading your malware defenses than rushing to change all your passwords.
Should I logoff the Internet and stop using it?	Yes, but not because of Heartbleed but because you should have a life outside of computers.
Why aren’t you terrified about this?	Anitian does not believe in spreading panic and hype.  We find that behavior immature.  We believe a methodical, rational response.  Heartbleed is no worse than many other bugs and with some simple patching the entire problem goes away.
Why does it have the name Heartbleed?	The flaw in the code involves a function called “TLS heartbeat.” The name comes from the ability of hackers to “bleed” data off the server exploiting this function.