August 20, 2014 | DevOps | Kevin O'Brien
Heartbleed – Conjur’s Response
Earlier this week, news of the massive data breach (~4.5 million records) that hit Community Health Services rippled across the news. The implications are significant: while it is not believed that any healthcare data in specific was taken, the information stolen did constitute PHI, with social security numbers, home phone numbers and addresses, and patient names all stolen. Under HIPAA – a topic we have covered before from a compliance perspective – each of those patients can sue CHS individually; the legal and financial fallout will be complicated and lengthy at best.
Today, Bloomberg is reporting that it appears that this hack was not exclusively the domain of malware, as previously stated. Instead, it appears to have been the result of a specific Heartbleed-related attack.
Citing from the report released this morning: “We never had any tangible proof of an attack until now,” said David Kennedy, founder of TrustedSec LLC, a security consulting company based in Cleveland, Ohio, who first reported Heartbleed was used to attack Community Health on his company’s website. […] The Chinese hackers exploited the Heartbleed flaw to steal user names and passwords to access one of the company’s private communications channels, Kennedy said. The incursion happened about a week after Heartbleed was made public and before Community Health altered its security to reduce its vulnerability, Kennedy said.”
What’s particularly troubling is the speed with which the attack happened; CHS took the appropriate steps, revoking their SSL keys and issuing new ones, but the time window between the announcement of the vulnerability and the response was wide enough for the criminals to get in, steal data, and get out before the mitigation was complete.
Many vendors in the security space will attempt to make hay from this hack. However, we believe that Conjur specifically solves for this type of problem: had CHS “conjurized” their SSL keys, revoking and changing them would have been a process that could have been completed in minutes, not days or weeks. This is, in fact, exactly how many of our customers are approaching their infrastructure moving forwards, precisely to avoid this kind of massive vulnerability and failure.
Don’t fall victim to the next Heartbleed attack. If your infrastructure exists in a regulated industry, or if you’re storing secrets (including SSL certs) in places like git, Puppet, Chef, or Docker images, we can help provide a more automated authz solution, and we can and will find a way to work with your DevOps team to do so. The stakes are simply too high, and too many of these hacks and breaches are occurring to leave the problem unmanaged.
The link below leads to a technical overview of the Conjur platform; if you’re interested in getting your hands on a free trial of Conjur and exploring how it can help with secrets management, drop us a line at [email protected]