The Open SSL Vulnerability – What Is It and What Can Be Done?

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• M-Trends 2022: Mandiant Special Report – Mandiant
• Effectively Preparing for the OpenSSL 3.x Vulnerability – Akamai Security
• Time is Ticking on a New OpenSSL Vulnerability – IT Security Guru
• Even the Most Advanced Threats Rely on Unpatched Systems – The Hacker News
• Understanding the Impact of Apache Log4j Vulnerability – Google Security Blog
• The US is readying sanctions against Russia over the SolarWinds cyber attack – The Business Insider
• Determining “Need to share vs. Need to know” is a Cornerstone of a Data Protection Strategy – Imperva

Episode Transcript

Brian: Hey welcome, everybody. And thank you for joining us on the Fearless Paranoia podcast. I am Brian the cybersecurity attorney. He is Ryan, the cybersecurity engineer and architect. We are here the two of us to help you unwind decrypt and demystify the complex and complicated world of cybersecurity. So just prior to this episode, we were discussing some of the questions about what’s going on in cybersecurity world in general. And one of the interesting topics that’s come up is a vulnerability in the open SSL system. I’ve only read a limited amount about this. But Ryan, can you help us out first, what is open SSL and then understand what kind of vulnerability this is how this might impact a small business or an individual and what can be done to mitigate any potential problems before they become a disaster?

Ryan: You know, I’ll be honest with you, I haven’t dug into the details of this one time yet. But what open SSL is effectively is it’s a technology that is used to secure traffic. So SSL secure socket layer is is kind of a tie in of that traffic and encryption. So at this, this level of vulnerability would allow something like the ability to potentially decrypt traffic or decrypt encrypted traffic. And we all we understand what the what the potential complications, snapping, if somebody were to get a hold of the ability to like sit man in the middle and have the ability to decrypt traffic effectively, they can see everything going in and out of any particular point that they’ve got compromised.

Brian: It’s like, they essentially be the operator in the old 1920s 1930s telephone network. Actually, that’s not even the best true example, the best true example of that would be standing the Secretary of War for Lincoln had during the Civil War. And if you if you really want to look at a historical period of the absolute evisceration of the concept of civil liberties, and this coming from someone who believed the correct side won that war, and most of the things that were done to win that war were justified, Stanton had every single telegraph line in the United States rewired through his office, every telegrams sent in the US was transcribed by his office, and he could see it now, I would imagine that even back in the 18, early 1860s, that traffic was such that it wasn’t easy for him to simply read everything. But given the amount of money that was being spent, I guarantee he had a staff that was in addition to the one that was actually an army was like an army in their, in their size, able to parse through all of these messages, that’s what this would be, you basically be sitting there not even, you wouldn’t even necessarily have to take control of anything, you would simply get to read everything.

Ryan: I mean, you you know, there’s always better ways to kind of sit in the middle of traffic. And listen, I mean, you know, at Basic or at really intense levels. But the, you know, traffic has become mostly encrypted nowadays, especially web traffic being one of the most primary that’s kind of been that huge push to HTTPS, just to make sure that that we avoid using unencrypted traffic wherever we can, at least where it matters. And because of that push, it’s become harder to just sit around and listen, now you have to find a way to compromise the traffic either before it hits encryption, or find a way to reverse that. And so the other biggest problem, the other big problem with…

Brian: VPN, I would think, is a way to even add security to that.

Ryan: I mean, that’s it’s one more layer of encryption, right? So anyway, that you can keep that traffic to make sure that your traffic is encrypted, before it leaves your host or leaves your application, the better off you’re gonna be, you know, because again, all it takes is for someone to get in the middle of those two points for that, to for that to occur and become a problem. And OpenSSL is used by so many different developers, programs, etc. It’s been baked into tons of things. It’s a huge open source package. That’s one of the reasons why something this, this level becomes this big of a problem, because now you’re effectively reliant on developers of all the software’s that have used this library to go back and release new updates for their software. And then you rely on that users to get those updates, whether you push them there, if it’s a home user, if they’ve got to got auto updates on they might be okay. If they don’t comes down to their own personal hygiene and most people on their own systems probably not great.

Brian: They’re like, gonna be a lot of vulnerable thermostats. Yeah.

Ryan: Potentially. Yeah. It all it all kind of depends what packages you’re using. If you got open SSL in there, it’s definitely some take a look at but you know, you’ve got a lot of software that’s still in use nowadays, where the developers gone out of business, and people aren’t getting updates for it, but they fill up that piece of software and they’re using it and that will just be effectively vulnerable for a while, you know, it all depends on if somebody could find a way to exploit it. So again, if it’s not like a publicly available service or something, they’re gonna have to find a way to get into the PC but

Brian: That’s one of the things in the audits that I put together by including there is the listing of primary software that is used by a company because one of the big things that I look at is is your software still support it and if it is still supported, does it have an anticipated end date has the company that is supporting it published a date where they are going to do is continued publication. I mean, I hate to suggest that you should only use massive enterprise software because I think that some of the best innovations you’re going to get are going to come from companies that aren’t controlling the market because they have a vested interest in keeping innovation limited. But the bottom line is those big enterprise systems know how to keep their stuff patched and know how to, you know, list when their systems aren’t going to be maintained anymore. Microsoft XP probably has to be the best example that I can think of, of a hugely popular and widely used system that Microsoft supported with security updates for a decade. And they announced like two years before their support ceased, they announced that it was going to no longer be supported. And then they kept sending out notifications, letting people know, they even extended I think by a full year, its support date. And then still, it was I think one of the unpatched versions are they still in use version of XP are one of the biggest targets of one of the Petya not Petya Wanna cry ransomware attacks a year after the support ended. So you need to know what your system software runs on.

Ryan: Oh, and keep in mind too, like we have a much different digital culture here in the United States, then you’ll find it a lot of other parts of the world too. So when you start to get into some of the not as westernized countries, you’ve got some slightly more age digital infrastructure. So they’ve already got slower speeds and things like that. But they tend to sit for a little bit further behind on systems too. And people will run a computer a lot longer. You know, over here, you’ve got people buying a new iPhone day one every time a new version of it comes out regardless of how many dollars are involved in that transaction,

Brian: and if you do that, by the way, you can send some of your dollars my way that’s perfectly fine.

Ryan: Better than buy another iPhone, it’s not necessary.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Ryan: Yeah, there’s a lot of aging infrastructure, there’s a lot of people that don’t want to buy a new computer. And the only time they’re ever going to update an operating system is when they buy a new computer, because they’re just you know, it was a different culture back in the day, everything was just used, and you used it until you ran into the ground until it was done. And you know, they just kind of treat computers the same way. I’ve done it numerous times. But I tend to keep my things up to date, just nature of the job and the hobby. But a lot of people don’t I like the fact that the default in most operating systems nowadays is to enable auto updates wherever they can. And I think that that’s a good habit, even if it can cause some complications and some problems here. And there. It’s better to do it than the not just because of how bad some of these threats have gotten to be nowadays. So I don’t know, we’ll have to see if open SSL is going to be as big of a deal is something like a log4J was I don’t think it probably will be it sounds like it’s getting patched really aggressively blog for J did too, though. And then it had to be patched, like seven eight more times before they finally got to put that one to rest.

Brian: And it also seemed like log4J was the vulnerability was announced, it seems to me that and I’ve read very little on it as well. But the OpenSSL thing is something that they can fix at the OpenSSL level. Whereas the log4J thing was something that had to be fixed by every software developer who used that particular logging system.

Ryan: Yeah, and it’s still going to take some adaption. And so we’ll have to see how that how it all ends up playing out. I don’t think it’ll be log4J. I think log4J was hopefully the hopefully the ugly one. You say that coming off the back end like SolarWinds and some of the supply chain stuff, which was also scary enough. And so somebody gets Windows updates someday we’re all scared for a while. But again, they’ve got good, they have good security controls in place, and that’s a big thing.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: Yeah, of course, I definitely think we want to come back in the future and have a more in depth discussion of log4J and all the problems that had caused just to help everyone understand what a situation like that can really create. But we don’t have time to go into a full length discussion on it. But I’d like to know what in your mind is important to bear in mind or what is the important takeaway for small businesses out there who may be hearing about the open SSL thing and not knowing what specific fix they can make but what general things are employed wouldn’t have in place for issues like this.

Ryan: It comes down to least privilege, good security controls and tight security controls while monitored. But yeah, we’ll touch a lot more on that.

Brian: Basically keeping a day and a half ahead of the hackers. Basically, if you can do that you’re lucky. Yeah, well, unfortunately, we have run out of time this week on Fearless Paranoia to talk about this particular show. Tune in next week, we are going to have a much more in depth conversation about this concept of least privilege and making sure that you have limited people’s access sufficiently to only what they need for their jobs in order to make sure that your business is kept safe. We want to thank you for listening to the Fearless Paranoia podcast don’t forget to subscribe to us on your favorite podcasting apps and subscription systems. You can visit us at Fearless Paranoia.com to get any of the information contained in this episode. And if you have any questions, comments or topics you’d like us to discuss, you can reach us at any of our social media sites and our website or by email at info at Fearless Paranoia.com for Ryan, the cybersecurity engineer and architect I am Brian cybersecurity attorney. Thanks for joining and we’ll see you next week.