80 likes | 279 Views
Heartbleed and its consequences. Stefan Lüders CERN Computer Security Officer ACCU 20140603. The OpenSSL vulnerability. “ On a scale of 1 to 10, this is an 11 ” (Bruce Schneier )
E N D
Heartbleed and itsconsequences Stefan LüdersCERN Computer Security Officer ACCU 20140603
The OpenSSL vulnerability • “On a scale of 1 to 10, this is an 11” (Bruce Schneier) • (2014/04/08) Extracting first 64kB from memory including secrets: https://www.openssl.org/news/secadv_20140407.txt • Affected: OpenSSL v1.0.2-beta[1], 1.0.1[a-f], SLC6 • Many sites outside CERN are affected: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected • Some clients are affected (NOT: Windows, OSX, iOS, FF, Chrome) • 1266+ servers at CERN (64% splunkd, 24% web servers) • 73 with firewall openings to the Internet • Not affected: CERN SSO, Mail, LXPLUS, SLC5, most CERN web sites, CERN Eduroam
Balancing Risks and Consequences • Exploits of Heartbleed haven’t been seen yet. • Still, we cannot exclude that CERN password (hashes) were not exposed. • Thus, all passwords of CERN primary and secondary had to be changed as a preventive measure. • CERN lightweight accounts, the EDH signature password, DB accounts acceptably safe. No further action needed. • Service account passwords recommended to be changed(66% did). • Time window: April 14th to May 26th
Password Reset Campaign • All affected account owners notified once or twice per e-mail. • Additional announcements in the Bulletin, ITUM, DHs, entrance panels, Windows PC screens, SSB, SSO portal: • ~1000 accounts of CERN staff & students blocked (May 13th-20th) • ~2000 passwords to be changed at next login(CERN SSO portal, Windows PC, WTS or LXPLUS) (May 26th-27th)
Thank you! …for helping keeping CERN save & secure.