The fallout begins

Early reports of the Heartbleed fallout are beginning to emerge from around the globe. In what is believed to be the first public disclosure, Mumsnet.com, the popular UK parenting site with over 1.5 million members, reported that it believes cyber thieves obtained user data last week before they were able to apply the patch their security flaw on Saturday. Additional information here.

In another example, Canadian authorities reported that the confidential information of 900 Canadian taxpayers was stolen before the Canadian Revenue Agency temporally shutdown access to their website. Additional information here.

86 cloud services still vulnerable

Skyhigh’s Service Intelligence Team continues to monitor the vulnerability status of cloud services. As of this morning at 8:00AM PDT, 282 of the 368 services we originally reported as being vulnerable had been patched. That means 86 cloud services, even 6 days after Heartbleed, still have not been patched. The number of cloud services that remain vulnerable to the Heartbleed bug is shown below, and we will continue to monitor our cloud service registry until this number has reached zero.

heartbleed chart3

Patching not enough

Unfortunately tracking this number down to zero only fixes half of the problem. Early reports that patching would resolve the issue are incorrect. Patching the site prohibits attackers from continuing to steal data, but if an attacker obtained the site’s certificate and private keys they could impersonate the site on the web, enabling further fraudulent activity. After patching, affected cloud services must reissue certificates AND regenerate key pairs.

According to Gartner’s Erik Heidt, “The existence of this fault on a server undermines any confidence in the confidentially of keys that have been used on that server. Issuing a new certificate is necessary, but not sufficient. Many organizations perform ‘lazy’ certificate rotations, and do not create new keys! This is a bad practice. Because this attack enables the recovery of the private key itself, certificate rotation alone will not protect you! New private keys must be generated.”

How can Skyhigh help?

Last week we sent the list of vulnerable services to our customers. We then helped them identify which employees had used each of the affected services. This enabled our customers to rapidly advise and protect the specific employees who had used vulnerable services, following the specific steps outlined in last week’s blog. If you’d like Skyhigh to perform a free a Heartbleed Audit for your organization, enabling you to identify vulnerable services used by your employees and who used them, simply contact us at heartbleedaudit@skyhighnetworks.com.