Attack vectors into the law: Heartbleed

Back in 1998, William Stewart wrote a perceptive and forward thinking article in Scots Law Times, advocating the world wide web to solicitors. He correctly identified the web’s future potential as a source of accessing legal information, and as a means of securing and doing business.

He also wryly prophesied future generations’ likely amusement at there ever having been a need to encourage solicitors to “dip their toes” into these new waters. In 2014, however, the need is perhaps more pressing for a revival of reticence, as the Heartbleed bug reminds us just how treacherous these waters can actually be.

In this instalment of the mini-series, we look at the Heartbleed bug, which is likely to have affected every solicitor in Scotland in some capacity. As arguably the most profound security issue the web has faced since its inception, we consider some of the potential consequences, including remedial measures, engaging your clients, and evaluating your information security policies.

What is Heartbleed and why does it matter?

As most will already now know, Heartbleed is a fatal flaw in the OpenSSL system of encryption used to secure about two thirds of the web’s services and sites. It allows hackers to read some of your most sensitive information – secret keys, usernames, passwords, credit card details, etc – straight from the memory of affected web servers.

In a world saturated with intensifiers and hyperbole, it can be difficult to express adequately the significance of Heartbleed. SSL (secure sockets layer) is one of the principal protocols, of secret handshakes and keys, by which interaction with websites is secure. Until now, the familiar padlock symbol has afforded us the assurance that the information we store online is safe.

But this defect, in the most popular implementation of SSL, has entirely undermined such confidence. For fully two years since the bug was introduced, it has been open to cybercriminals to trawl sites using the affected versions of OpenSSL, and have access to potentially any and all secure transactions or information stored thereon.

The list of sites using OpenSSL in this time includes some of the world’s most august – LinkedIn, Twitter, Google and Amazon being just a few. Respected security analyst and Harvard fellow Bruce Shneier phrased it this way: “You have to assume that it’s all compromised. All of it. ‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

Am I affected?

It has been glibly remarked elsewhere that if you are alive and use the internet, you’re affected.
Unlike the general public, however, solicitors are vulnerable not only as individuals and commercial actors, but as professionals. Heartbleed creates many avenues – primary and secondary – by which confidential client information may be exposed, as well as your own.

Dealing with Heartbleed: your firm or company

1. Check whether you’re affected

If your firm is vulnerable, then your clients are directly vulnerable. Of course, firms will vary in how they attribute responsibility for checking and patching vulnerable systems. It will likely depend on the IT support structures you have in place. But it would be prudent, whatever your personal responsibility, to ensure someone in your firm is doing this.

Addressing this issue at an organisational level will involve the following steps:

(A) List all the secure web services or sites your firm offers or uses. Generally speaking, this is likely to be those that require people to log in because they store private information. Examples would include web-based email, client portals or billing systems, cloud based services, etc.

(B) Check whether they use a vulnerable version of OpenSSL (versions 1.0.1 through 1.0.1f inclusive – older and newer versions are not affected).

Please note: make sure you have permission before using any websites that offer to scan a link you provide. These can be useful, but it has been reported that doing so in the UK may break the letter if not the spirit of Computer Misuse Act 1990.

2. Do the necessary remedial work

If you do find that you have a vulnerable server, it is important to carry out – or have your support staff carry out – remedial work as quickly as possible. If your servers and their support staff are not directly employed by you, it is advisable to have them provide written reports to show that checks and any necessary work have been undertaken.

Addressing this issue at an organisational level will involve the following steps:

(C) Apply the “patch” provided by OpenSSL, which is an update that fixes the bug.

(D) Only after applying the patch, regenerate all encrypted key pairs, revoke and replace all their related certificates, and force all users to renew their passwords on vulnerable systems.

3. Disseminate information/guidance to clients

All organisations face difficult decisions about informing clients of potential security breaches. On the one hand, performing updates as a result of potential security breaches is a standard business reality. On the other, keeping quiet about potential breaches – particularly ones of this magnitude – is likely to be unwise, not only morally and legally, but practically.

If your organisation has found vulnerable client-facing websites or services, such as a client portal where clients can access and pay bills online, you will have to tell your clients to change their passwords. It would be wise to give a clear but moderate explanation why, emphasising the global ubiquity of the issue, and the speed of response.

This is also true if your organisation has found vulnerable websites or services that store client information, but are only used by members of staff. An example of this is a cloud-based case management system. Remember, this is one of the most publicised breaches in history – it’s likely your clients are dealing with this problem too.

Those who find no vulnerable websites or services are, naturally, in the best position, with no need to contact customers. However, as most businesses will be dealing with the problem, getting in touch with clients to let them know you are aware of the issue – and its potential consequences for their own business – may nonetheless be wise.

Dealing with Heartbleed: as a solicitor and private individual

If you are personally vulnerable – as a solicitor or an individual – your clients may be indirectly vulnerable. There is an inevitable degree of overlap between what is required of organisations and individuals, but the differences are important. If your firm deals with its vulnerabilities, but you don’t deal with yours, the latter may render the former null.

As Heartbleed has potentially affected such a large proportion of online services, you have to start from the assumption that any website you’ve ever logged into – or provided confidential information like credit card details to – has been compromised, and so requires you take the requisite remedial steps.

For example, it’s been widely reported that users of Yahoo’s webmail service have been successfully hacked because of Heartbleed. People often re-use passwords, and it tends to be short work to find out who a person works for when you can read their private email. In a few steps the cybercriminal could transition from accessing your personal to accessing your professional data.

As in (A) above, you have to create another list. This time, the focus is broader – encompassing all websites and services you have either undertaken sensitive transactions with, or provided confidential information to, in the course of your personal and professional life. Prioritisation is likely to be key in making this list manageable.

Remember, it’s likely that only websites you log into with your own username and password have the kind of confidential information you couldn’t live with being made public. Of them, a legal forum is likely to be less important than, say, email – unless you use the same password for both. To be entirely confident, try to make your list as comprehensive as possible.

As in (B) above, you will have to check whether these sites have been running a vulnerable version of OpenSSL. This link provides a current list of major online sites and services: mashable.com/2014/04/09/heartbleed-bug-websites-affected/

The personal equivalent of (C) above is to determine whether the sites you have identified as potentially vulnerable have, in fact, applied the security patch. Use the list above or check the company’s customer information.

The personal equivalent of (D) above is to change passwords for any affected sites. However, it is very important not to change a password on a website that has not yet applied the patch. If you change your password before the website you use has fixed the problem, it will persist even afterwards.

Heartbleed’s aftermath: evaluating your practices and policies

Every firm in the modern digital era should have a process for dealing with security risks like Heartbleed. As shocking as it was to discover that so much of the internet was and is vulnerable, it’s not unexpected either. Heartbleed has highlighted how much of the technology underpinning the internet is written by unpaid volunteers and open for all to analyse for security flaws.

Every IT security policy should account for what are referred to as “zero day” attacks. These are attacks that exploit hitherto undocumented vulnerabilities, before systems can be updated or patched. The Heartbleed bug is just one, albeit more famous and profound than most, that has created the scope for such attacks.

To conclude, answering the following questions may help you evaluate and strengthen your firm’s security practices in the wake of the Heartbleed bug. It’s not unwise to apply these to your personal practices either.

(1) How quickly following the discovery of the bug in early April 2014 did your firm become aware of the issue?

(2) How quickly was its gravity and scope identified both for you and your clients?

(3) Do you need to review your firm’s information security “early warning procedures”?

(4) How quickly were you able to identify which systems you run or use were affected, and who was able to effect and responsible for effecting change?

(5) Could you clearly identify the person responsible in your organisation for co-ordinating, reporting on, and communicating its multifarious responses to Heartbleed?