Tag Archives: Heartbleed

The PI Meeting Rewind

Rewind iconThis week, May 12-14, the SWAMP hosted a Principal Investigators Meeting at the Morgridge Institute for Research in Madison, WI. Over 30 attendees from across the country gathered to share their most recent developments. Each day featured a rousing discussion pertaining to continuous software assurance and secure coding, including topics like Heartbleed, the state of software assurance, and collaborating with the SWAMP.

Check out #SwAssurance for Tweets from the event, or download slides from the sessions.

Analysis of the Heartbleed Vulnerability

heartbleed logoIn response to the recent Heartbleed vulnerability, James A. Kupsch and Barton P. Miller of the University of Wisconsin analyzed the problematic sections of the OpenSSL code and how it challenged the capabilities of software assurance tools. Read their full analysis here, and learn how the SWAMP can be used to reduce the likelihood of such events in the future.

Citation information for the white paper is below.

MLA: Kupsch, James A., and Miller, Barton P. “Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?” Continuous Software Assurance Marketplace, 22 Apr. 2014. Web. <https://www.swampinabox.org/doc/SWAMP-WP003-Heartbleed.pdf>

APA: Kupsch, J.A., & Miller, B.P. (2014, April 22). Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed? [PDF file]. Continuous Software Assurance Marketplace. Retrieved from https://www.swampinabox.org/doc/SWAMP-WP003-Heartbleed.pdf

SWAMP Security Notification: Critical Bug, Please Change Your Password

Greetings SWAMP User,

On April 7th, 2014 a critical bug (“Heartbleed”) in the widely used OpenSSL security software was announced. This impacts about half of the Internet’s secure web servers, including the SWAMP. While the time between the announcement and the SWAMP patching its infrastructure was short, and we have no indication that anyone’s password was compromised, it is still theoretically possible.   As such we are strongly advising all SWAMP users to change their passwords. You can change your password by logging into the SWAMP at https://www.mir-swamp.org (*) and then selecting “My Account”, “Edit Profile” and “Change Password” (*) Ideally you should have the SWAMP bookmarked so you don’t have to click on a link in email, which could be a phishing attempt.

Please choose a unique password for the SWAMP that is not used on other sites. You will find that using a secure password manager such as LastPass, Keepass or 1Password will aid in choosing a unique and strong password for each website you use.

== What We Have Done ==

The SWAMP team has reviewed this bug thoroughly and properly patched our web servers with the fixed version of OpenSSL. We have also regenerated our SSL certificate as a precaution in the case that the old one was compromised. For details, please see:

https://continuousassurance.org/blog/2014/04/09/openssl-heartbleed-cve-2014-0160/

Other questions you may have

Can you tell me more about this vulnerability?

Please see http://heartbleed.com/

Can the SWAMP be used to find vulnerabilities like Heartbleed?

The SWAMP team will have a blog post on this shortly with more information.

Was there any evidence that data in the SWAMP had been compromised or that my password was seen?

No. However, since prior to the identification of the bug on April 7th, it is possible it may have been used without leaving evidence, we are being cautious and strongly advising all SWAMP users to change their passwords.

What if I didn’t log on to the SWAMP website during the exploitation window?

If you have logged into the SWAMP at any time, there is the possibility that your password was still in memory during the exploitation window, thus we feel that everyone should change their password.  Also, since the vulnerability existed for about 2 years prior to its discovery, it is possible that unknown parties have have been using it.

Would the strength of my password matter? 

The strength of your password is an important part of keeping your account secure from attackers, however in this case, the password would have been viewable in clear text directly and the strength would not matter.

I already use a secure password manager, would that help?

No, a secure password manager like LastPass helps you to manage your many passwords on your computer, but it does nothing to protect your password on a server.

Would two factor authentication improve security?

Two factor authentication would indeed help protect accounts by requiring more than just the knowledge of the plain text password.

Are my SSH keys compromised?

No. Although SSH uses OpenSSL libraries to generate keys, this bug only affects the SSL/TLS protocol, which SSH does not use for authentication or transmission of data.

If you have any other questions, please feel free to contact SWAMP staff at support@continuousassurance.org

Thank you for your time,

SWAMP Security Team