<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Droid Sans";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:13.5pt;
font-family:"Droid Sans";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Droid Sans";
font-weight:bold;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:235747167;
mso-list-template-ids:-773933220;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:494302351;
mso-list-template-ids:-1473877670;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:547768108;
mso-list-template-ids:1125520540;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://casecurity.org/2014/04/09/heartbleed-bug-vulnerability-discovery-impact-and-solution/">https://casecurity.org/2014/04/09/heartbleed-bug-vulnerability-discovery-impact-and-solution/</a> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>On April 7, 2014, a vulnerability in the OpenSSL cryptographic library was announced to the Internet community. Aptly labeled as the Heartbleed bug, this vulnerability affects OpenSSL versions 1.0.1 through 1.0.1f (inclusive). The Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The flaw is not related or introduced by publicly trusted certificates and is instead a problem with server software.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:13.5pt;font-family:"Droid Sans"'>Heartbleed Bug Discovery<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>The Heartbleed bug was uncovered by a group of security engineers from Codenomicon and Neel Mehta from Google Security. According to The Heartbleed Bug website hosted by Codenomicon:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><i><span style='font-size:12.0pt;font-family:"Droid Sans"'>“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).</span></i><span style='font-size:12.0pt;font-family:"Droid Sans"'><o:p></o:p></span></p><p class=MsoNormal style='margin-top:7.5pt;mso-margin-bottom-alt:auto'><i><span style='font-size:12.0pt;font-family:"Droid Sans"'>The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”</span></i><span style='font-size:12.0pt;font-family:"Droid Sans"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Software bugs are part of every software release, and most software updates or new versions of software include bug fixes. The features of the Heartbleed bug that make it unique include:<o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Any Heartbleed-based attacks are not readily traceable. Because the problem has existed for two years, most server operators using a vulnerable version of OpenSSL likely don’t have enough logs/monitoring to determine whether a site was compromised.<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:12.0pt;font-family:"Droid Sans"'>The potential impact of the Heartbleed bug vulnerability is difficult to measure. The Heartbleed bug was included in the 1.0.1 release of OpenSSL on March 14, 2012 and was included in each additional release through the OpenSSL 1.0.1f release.<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:12.0pt;font-family:"Droid Sans"'>The Heartbleed attack does not rely on other vulnerabilities to compromise a site. Often, attacks necessitate that the attacker first exploit a weak security practice to get a foothold in a system. <o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo1'><span style='font-size:12.0pt;font-family:"Droid Sans"'>The internet and security communities pushed OpenSSL 1.0.1 and subsequent releases because they included TLS 1.1 and 1.2 which contained fixes for vulnerabilities to other attacks in TLS 1.0, such as the BEAST (Browser Exploit Against SSL/TLS) attack.<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>OpenSSL version 1.0.1 through 1.0.1f and 1.0.2-beta1 are vulnerable to the Heartbleed Bug attack. The <b>OpenSSL version 1.0.1g</b> released yesterday fixes the Heartbleed Bug. Note that earlier versions of OpenSSL <b>branches 1.0.0 and 0.9.8</b> do not include the Heartbleed Bug vulnerability. The <b>1.0.2-beta2 version</b> will contain the fix that is included in <b>OpenSSL version 1.0.1g</b>.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:13.5pt;font-family:"Droid Sans"'>Heartbleed Bug Impact<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>If the servers in your SSL environment do not use OpenSSL, if your servers use OpenSSL 1.0.0 or earlier, if your servers do not use OpenSSL 1.0.2-beta1, or if your servers are compiled without the heartbeat extension enabled, then your environment is not vulnerable to the Heartbleed Bug attack.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>However, if your servers are running an OpenSSL version 1.0.1 through 1.0.1f with the heartbeat extension enabled, then your environment is vulnerable to a Heartbleed Bug attack. Although no Heartbleed Bug attacks have been documented, it is impossible to know if the Heartbleed Bug vulnerability has been exploited because the attack does not leave a trace. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:13.5pt;font-family:"Droid Sans"'>Solutions<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>If your servers are running OpenSSL versions 1.0.1 through 1.0.1f with the heartbeat extension enabled, you should take the following actions as soon and as quickly as possible to mitigate any possible damage:<o:p></o:p></span></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Upgrade your server to the latest version of OpenSSL (version 1.0.1g or later).<o:p></o:p></span></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Check your package manager for an updated OpenSSL package and install it.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:12.0pt;font-family:"Droid Sans"'>If you do not have an updated OpenSSL package, contact your Service Provider to obtain the latest version of OpenSSL.<o:p></o:p></span></p><ol start=2 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo2'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Rekey, reissue, and then revoke all certificates used with the vulnerable version of OpenSSL.<o:p></o:p></span></li></ol><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:13.5pt;font-family:"Droid Sans"'>To Upgrade Your Server<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Check your package manager for an updated OpenSSL package and install it. If you do not have an updated OpenSSL package, contact your Service Provider to obtain the latest version of OpenSSL and install it.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:12.0pt;font-family:"Droid Sans"'>Workarounds</span></b><span style='font-size:12.0pt;font-family:"Droid Sans"'><o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Only use these workarounds if you cannot upgrade to the latest version of OpenSSL. If you are unable to upgrade to the latest OpenSSL version, do one of the following:<o:p></o:p></span></p><ul type=disc><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Rollback to OpenSSL version 1.0.0 or earlier.<o:p></o:p></span></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo3'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.<o:p></o:p></span></li></ul><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:13.5pt;font-family:"Droid Sans"'>To Rekey Your Certificates<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Once the server has been patched, we recommend that you replace your certificate with a new one using a new key pair, an operation commonly referred to as a ‘rekey’. To do this, you will need to generate a new CSR and submit it to your CA so that they can reissue the certificate. Your CA can help you generate the CSR and provide additional information about rekeying your certificate. You should confirm with your CA that the old certificate is revoked once you’ve installed the new one on your server.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Although the chance of an attacker obtaining a private key through Heartbleed is unlikely, rekeying is a good precaution given the sensitive nature of the information. We encourage any server operator affected by the vulnerability to consult with their CA if they have questions about the potential impact and risks. <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:13.5pt;font-family:"Droid Sans"'>Other Suggestions<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>In addition to replacing affected private keys, server operators should encourage users to change any passwords possibly leaked through the vulnerability. Periodically changing passwords is a good security practice, and this vulnerability gives system administrators a launching point to affect change within their infrastructure. Of course, passwords should be changed after the vulnerability is patched on the server to avoid leaking the new password.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>We encourage all users to use different passwords for various sites. Using multiple passwords ensures that a compromise of account with one site will not lead to a compromise of multiple accounts associated with the same email or username.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:13.5pt;font-family:"Droid Sans"'>Summary<o:p></o:p></span></b></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Droid Sans"'>Again, this vulnerability is not a flaw related to the protocols or the use of digital certificates. Instead, the flaw is a result of a bug in the open source program. Although this is a severe failure by the software developers to detect a major vulnerability, CASC encourages industry participants to focus on ways to prevent a reoccurrence of similar problems rather than blamestorming. The CASC members fully support the initiatives to remedy this vulnerability and look forward to working with the non-CA community in ensuring a safe and secure Internet.<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>