Heartbleed, the OpenSSL vulnerability that was made public a couple of weeks ago, has shaken up the web hosting world.
Since then, service providers have kept busy educating customers on the vulnerability, upgrading OpenSSL versions on affected servers, and revoking and reissuing SSL certificates since Heartbleed can be used to extract a server’s private key.
“Heartbleed is a pretty bad thing. It’s serious and needs to be attended to. Companies can’t just think it is going to go away. It’s a critical part of web deliverability and needs to be fixed,” Marc Gaffan, co-founder of Incapsula, and VP of marketing and business development says.
Incapsula is a security and CDN provider that was acquired by Imperva at the beginning of 2014 after growing more than 400 percent in 2013 and reaching 70 employees. Specific areas of focus for the company includes web security, acceleration and DDoS.
Gaffan says fixing the Heartbleed vulnerability is a two-step process and is fairly simple “if you know how to do it and you’ve got the resources to do it.”
“It’s a two-step process: one is to patch your infrastructure and make sure your infrastructure is no longer vulnerable to the exploit,” he says. “The second is to take a precautionary measure and replace your certificates just in case the certificates were compromised during the long span of time in which the vulnerability existed, which was about two years.”
Netcraft estimates that of the 800,000 HTTPS-enabled sites vulnerable to Heartbleed, only 80,000 have revoked and replaced their old SSL certificates.
“For certain organizations of certain sizes, especially SMBs, this can be a pretty complex effort. They often don’t know how to patch their infrastructure, they rely on a third-party provider, they don’t know much about Linux distributions and how to recompile things, and they need to go to their service providers in order to help them out. I think that service providers that cater to this market need to be very proactive and really need to do the heavy-lifting for their customers,” Gaffan says.
Gaffan says it is important for users to “follow the same path through which they obtained the certificate.” That means if a customer bought their SSL certificate through their host, they have to go back to the host and get them to reissue the certificate. If the certificate was obtained through the certificate authority, then that is the entity that can reissue the certificate for the customer.
“Often what will happen with a hosting provider is that when a customer gets infected or hacked the first entity they go to is the hosting provider,” Gaffan says. “Often it represents a revenue stream for the hosting provider, but often it doesn’t because it’s a hassle. They’ve got to reinstall the entire stack sometimes because you never know where the infection started and where it’s ended. Their customers incur downtime and don’t know often that this was something that was not the responsibility of the hosting provider. They come to the hosting provider and say, ‘Hey, how come my website was hacked? You told me your infrastructure was secure.’”
“The infrastructure was secure, they’ve done everything they needed to, but they’re not responsible for the application. They get thrown under the bus for something that is not their responsibility but the end users don’t know where the responsibility lies,” Gaffan says.
Heartbleed isn’t the only security concern for end-users and their hosting providers.
“Heartbleed was very publicized but there’s these types of vulnerabilities are happening every single day of the week. It could be a WordPress vulnerability or a Joomla vulnerability or an Apache vulnerability. These are all being discovered and affect different customer bases. Working with a security provider like us gives the hosting provider some level of confidence that they don’t have to deal with it. We’re dealing with it on a massive, massive scale.”
Aside from Heartbleed, DDoS attacks are still a major concern for hosting providers, and will continue to be an area of frustration for providers who are not prepared to deal with the growing complexity and sophistication.
“Putting Heartbleed aside, the DDoS phenomenon is something that is going ballistic. The attacks are getting bigger and more sophisticated,” Gaffan says. “Attacks are becoming more sophisticated. We know that most often attacks are a multi-vector attack. It’s not just a single DDoS attack, it’s a combination of multiple vectors.”
“Security researchers are drawing analogies between specific DDoS attacks and advanced persistent threats; it’s an ongoing battle over the course of weeks sometimes between the attackers and the defenders in trying to outsmart each other. We’re seeing a lot of that,” he says.
Another trend Incapsula is seeing are hackers trying to blackmail fairly big companies.
“We’re seeing very simple ransom and blackmail. Ransom notes for our customers, some of these ransom fees are actually pretty funny. We’re talking about $300 to $700 for some pretty large companies,” Gaffan says. “Our assumption around this is the attacker is actually trying to stay under the radar. If you make the ransom small enough someone at an organization may just say, ‘If there is a 10 percent chance this will go away by paying $300 or $500 to the attacker let’s just do it.’ Obviously falling to extortion is not the best approach because it’s starts off as $500 but you never know where it’s going to end off.”