“All government agencies and enterprises should run a quick inventory of all their servers and PCs, such as those that host web sites, email and chats,” said Angel Averia, President of the Philippines Computer Emergency Response Team (PhCERT).
“Computers that are running with OpenSSL implemented more than two years ago and have not been upgraded since may not be as vulnerable. However, those running OpenSSL versions later than the first implementation of Heartbleed should be deemed to be vulnerable and appropriate action must be taken,” he added.
The Malaysia CERT (MyCERT) has since notified relevant parties in government about the threat and released two alerts on how to mitigate the problem, Megat Muazzam Abdul Mutalib, Head of Department at MyCERT told FutureGov.
The most recent advisory by MyCERT explained the impact of the Heartbleed vulnerability and provided a step-by-step guide to fix it.
The US Department of Homeland Security (DHS) has been working with other agencies to analyse their systems to identify where they have the Heartbleed vulnerability and implementing response without disrupting critical operations.
According to a recent update by DHS National Protection and Programs Directorate, Deputy Under Secretary for Cybersecurity, Phyllis Schneck, “[We have] enabled our network defences across the Executive branch to detect someone trying to use the exploit and in many cases to block those attempts. We have begun scanning government networks for this vulnerability to ensure that we know where it exists.”
The Department has also issued technical alerts and mitigation steps through the National Communications and Cybersecurity Integration Centre and engaged with industry partners to discuss the threat posed by Heartbleed.
DHS, through the Multi State Information Sharing and Analysis Center (MS-ISAC), reached out to State and local governments via the MS-ISAC community to address the Heartbleed issue.
Gary Coverdale, Chief Information Security Officer at the California County of Napa (and a member of MS-ISAC) said, “The big takeaway is to test your sites as well all partners’ environments, remediate, and then be aggressive in changing all passwords associated with those sites”.
Coverdale also suggested that State and local agencies, as a public service, should reach out to its local constituents providing education and tools to test sites - such as banking and purchasing - as well as encourage the public to change passwords to protect themselves.
Chong Rong Hwa, Senior Malware Researcher, FireEye said that organisations should adopt a patching strategy to prioritise fixing the servers and devices depending on its exposure risks. “Due to the severity of information exposure, system owners should also consider resetting of administrator and user passwords, reissuing of SSL certificate, conducting of security assessments, as well as auditing systems and network hygiene.”
Open source software has been known for the effectiveness of finding and fixing bugs since the large community of users and developers can spot and deal with security holes. This is commonly known as the Linus’ Law: “Given enough eyeballs, all bugs are shallow”. Some have started to question the validity of this principle after the report on Heartbleed.
“The fact that the bug was found, and more importantly, rapidly fixed, actually proved the validity and truism of Linus’ Law,” explained Harish Pillay, Global Head for Community Architecture and Leadership, Red Hat.
“Linus’ Law does not, however, state when bugs will be found, if they will ever be found or even who will fix the bugs. It is not constrained by time or person,” he continued. “One thing stands true - that the Linus’ Law has been proven repeatedly over the years. For example, a six-year-old Linux kernel critical bug that was reported in 2004, was fixed in 2010.”
“What I love about the open source community and Red Hat’s role in it specifically, is that we rally together to fix issues as they come up. The tremendous amount of engineering talent in the community enables collaboration which transcends commercial interests and cuts across the entire ecosystem for the well being of the software we all love and use,” added Pillay. [He answers government’s queries on trends and misconceptions around open source in another recent article here.]
One of the questions that came up from this incident is: whose responsibility is it to ensure the security of an organisation’s IT infrastructure and software, noted Averia of PhCERT.
“It is costly for government agencies to develop and maintain a testing capability to determine if a piece of software is safe to use. The alternative is to check if the software or hardware has been tested for vulnerability and certified. Governments can also engage other organisations equipped to do the testing,” he said.
“An expensive proposition perhaps, but with the growing use of technologies and increasing dependence on information systems, plus the fact that government agencies amass data about citizens, especially of those who transact with them, such investment may be well worth it,” Averia concluded.