Retailers rush to plug Heartbleed leaks

The revelation last week of the Heartbleed bug has had retailers scrambling to both find vulnerabilities and reassure customers, but the threat is far from over.
The bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f, explained Mark McCurley, CISSP CAP Security+, senior information security advisor, IDT 911 Consulting.

Heartbleed allows hackers to trick most systems running any version of OpenSSL, revealing blocks of stored data from the past two years, data that's just sitting in a system's memory. This includes the keys the system uses to encrypt information — exactly the kind of information that shoppers enter and store when making online purchases.

And it's been here, hiding in plain sight for close to two years.

Many of the larger retailers, including Amazon, Target and eBay, say they were not exposed to the Heartbleed bug, although smaller website operaters could be facing lengthy fixes.

Most online retailers' Web servers use a version of Linux for their operating system, which in turn uses OpenSSL to provide secure encrypted browsing for shoppers.  

And now it seems that mobile devices, most notably Android handsets, could be vulnerable.

Although most versions of Android are immune to Heartbleed, those running version 4.1.1 are not, according to Google (NASDAQ:GOOG). With roughly 34 percent of users never receiving an update, close to 50 million Android users are left vulnerable to the bug, reported Ars Technica.

Google has said it's working to release a patch, but again, many users don't download patches so vulnerabilities will remain.

But some tools believed to detect Heartbleed may prove to be inaccurate, warned cyber security firm Hut3. The London-based firm warned that 95 percent of the tools available are themselves fatally flawed. "A lot of companies out there will be saying they've run the free Web tool and they're fine, when they're not," Hut3's Edd Hardy told The Guardian. "There's absolute panic. We're getting calls late at night going 'can you test everything.'"

Hut3 found that most tools rely on code designed to highlight the flaw created by developer Jared Stafford. But the code itself has the bug, said Hut3 penetration tester Adrian Hayter. These included tools created by Intel-owned security firm McAfee and password management provider LastPass, reported The Guardian.

Most detection tools only check one version of SSL: TLSv1.1. But if the server being tested for Heartbleed doesn't support TLSv1.1, and many don't, the connection will be rejected. The checkers take that to mean the checked site is not vulnerable.

Similarly, most are checking just a fraction of the cipher suites, the algorithms used to set up a secure connection over the internet. "Once again, if the server does not support any of the cipher suites that the client sends, the connection will disconnect," said Hayter.

Of the tools Hayter examines, most supported about 51 cipher suites, of the 318 potential cipher suites in use. Hut3 has created its own tool, but Heartbleed detection is still a work in progress.

For more:
-See this Guardian story
-See this Retail Wire discussion

Related news:
Heartbleed is the new security risk
Yahoo encrypts data centers, homepage to stop hackers, government spies
Target catches a break in data breach lawsuit
Shopper blame retailers for data breaches, Congress blames Target
Vendor speaks out on Target data breach