Computer Security: “Heartbleed” - a disaster for privacy
"On a scale of 1 to 10, this is an 11,” claimed the famous security expert Bruce Schneier (see here). Indeed, the serious vulnerability dubbed “Heartbleed” affects everyone who relies on secure and private Internet communication. You cannot avoid it, so let’s see how it affects you.
“Heartbleed” is the name that's been given to a vulnerability for OpenSSL (CVE-2014-0160). This software implements “the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptography library”. SSL and TLS protocols are used to encrypt any communication between a client and a server, and to ensure that your communication is safe from eavesdropping or spying - that is, until 2012, when this bug was introduced. It allows the extraction of the first 64 kB from the memory of a server or client using OpenSSL (not necessarily web servers), and can potentially be used to reveal not only the content of a secured message, such as passwords over HTTPS, but the SSL keys themselves (see e.g. this for details).
This has become a catastrophe as OpenSSL is widely used in many different applications, including Linux distributions, Netapp storage systems, Cisco or Juniper VPN appliances, HP management software… It comes as no surprise that Facebook, Yahoo and even Google were concerned. CERN is no exception and, as CERN takes security very seriously, it is taking all the necessary measures to prevent potential exploitations of the “Heartbleed” vulnerability. Fortunately, LXPLUS, CERN Eduroam, the CERN mail service, the CERN Single Sign-On portal, most of the centrally managed web servers and all major CERN web applications (e.g. EDMS, EDH) were not affected. Similarly, EGI and OSG have launched their own emergency response procedures to ensure that the Grid infrastructure is kept safe.
So what can you do?
- Thanks to many of our colleagues at CERN - in the IT Department, in technical departments and in the LHC experiments - our server infrastructure is fine;
- As a preventive measure, you will have been asked to change the password of all your CERN accounts (you can do this at https://cern.ch/account);
- If you run your own web/file/etc. server using a Linux operating system like CERN Scientific Linux 6, make sure you apply all pending patches as soon as possible (e.g. through “yum update”; SLC5 and Windows Server are OK);
- If you run Microsoft Windows, Apple MacOS X/iOS or Linux on your office PC/laptop/tablet, and use a web browser like Chrome, Firefox or Internet Explorer, you should be fine on the client side. This also holds for your computers at home;
- If you are customer of external web services like Facebook, Google, Yahoo or others, check for their messages and consider changing your password with them. They all should have fixed any potential vulnerability by now.
Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.
