News of this week’s massive and far reaching OpenSSL vulnerability “Heartbleed” has put all of us on our heels. In what I would call the equivalent of an Internet oil spill, individuals and organizations are scrambling to discover how to clean up this mess and get on with business as usual. This will not be trivial or a quick fix. I say this with conviction as I personally know the challenges of keeping large amounts of highly complex infrastructure patched and secure to support both revenue and critical business operations. Certainly many C-level executives will be using the phrase “be quick, but don’t hurry” over the coming weeks and months. We use this to encourage a quick cadence for remediation for a problem with the gravity such as the OpenSSL vulnerability but everyone also wants to make sure proper due diligence is performed so there is minimal impact to business operations and customers. It is also paramount to make sure that you don’t further increase your attack surface by moving so swiftly that configuration and deployment errors occur and open up other possible attack vectors in your environments.
Not only is this impacting services that are legitimately conducting secure transactions, it is also causing shell shock in the Deep Web as many of the hidden services within the TOR (The Onion Router) are impacted as well. In an ironic twist of events, the same veil that allows for anonymous and “secure” transactions within the cyber underground can also be susceptible to attack. So how is this impacting the shadow economies of the Dark Web? Quite honestly, it is most likely causing pause for many of its constituents are grappling with the same questions about service and transaction integrity just as normal web users are. Users of these hidden services will have to balance their need to transact and support their nefarious lifestyles versus the possibility of being exposed on what was once thought to be an “anonymous” platform, pre Heartbleed. You can rest assured that law enforcement will be scanning potential ecosystems that are potential anonymous criminal networks. This will be an attempt to discern if they might be able shine a bright lens on communities thought to be untraceable but now equally vulnerable due to this pervasive bug in OpenSSL.
Organizations with good and ill intentions alike are digging into their network diagrams and asset management systems in order to “boil the ocean” for this SSL exploit as they ultimately try to determine risk and prioritize a plan of attack. The more mature organizations have and will be able to communicate to their communities to spread awareness, discuss the get-well plan and see the process through remediation. Trend Micro customers leveraging firewall and host intrusion prevention capabilities could have been shielded from this vulnerability within 24 hours of the announcement through innovative recommendation scanning and applying virtual patching. Certainly a benefit that many users deploying anonymous Deep Web infrastructures don’t have.
Please add your thoughts in the comments below or follow me on Twitter; @jdsherry.