Tuesday, April 15, 2014

Heartbleed Bug and OpenSSL: Everything you need to know

Heartbleed Bug and OpenSSL: Everything you need to know

Heartbleed Bug has raised eyebrows of all the users across the globe and security advocates have questioned government and social media about their data security. Here’s everything you need to know
Heartbleed Bug and OpenSSL: Everything you need to know
 | On 13, Apr 2014
The Heartbleed bug has set the World Wide Web afire this week, with many sites and users rushing to change passwords and protect themselves against what is considered to be the most deadly attack against the Internet in all of its existence. We here at Inferse want to answer the questions you may’ve about Heartbleed, explain the reason behind the Web hysteria, and provide some counsel on what you can do in light of the facts presented here.

OpenSSL: The mother of all vulnerabilities

What is OpenSSL? OpenSSL refers to the name of a 1998 project that was started to encrypt websites and user information across the Web. The “SSL” in “OpenSSL” refers to a Secure Sockets Layer (also known as transport layer security or TLS), and OpenSSL is an open project (meaning any programmer or coder can work on it) that was designed to prevent hackers from retrieving personal data submitted by users to a website (such as a banking, shopping, or digital content website). Eric Young is responsible for the eventual establishment of OpenSSL, seeing that he started what ultimately became SSL software back in the 1990s. OpenSSL is an important undertaking, seeing that, without it, our personal information submitted across every website we hold dear could find its way into the hands of dishonest criminals.
Since OpenSSL is established to prevent hacker theft with internet data, it seems to be an important endeavor; yet and still, you wouldn’t recognize this right away. There are only eleven people currently that work in OpenSSL: 46-year-old British cryptographer Dr. Stephen Henson, volunteer Geoffrey Thorpe, two other British volunteers, a German developer, and a few others. Stephen Henson is the only full-time employee on the OpenSSL project. What started as a project committed to data encryption has now become standard on two-thirds of all websites on the Internet.
No wonder, then, that the OpenSSL vulnerability discovered this week is called “Heartbleed”: as it strikes at the heart of the most data-encrypted entity known to man.

Heartbleed: Is it a simple Programming Error?

What is Heartbleed? Heartbleed is a bug discovered by Codenomicon employees Riku, Antti, and Matti, as well as Google employee Neel Mehta this week. Heartbleed is essentially a programming error that leaves all forms of Internet data open to hackers. It was introduced into the OpenSSL software library by 31-year-old Robin Seggelmann, a Frankfurt, Germany developer who says that it was likely introduced while he was working on OpenSSL bug fixes around twot years ago. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length.” The error was also missed by a reviewer responsible for double-checking the code, “so the error made its way from the development branch into the released version,” Seggelmann said.
It’s interesting to think about how a line of code could open a world of crime and identity theft for millions, but it’s true. Sometimes the smallest items in the world can do a lot of damage. Seggelmann denies that he introduced the programming error intentionally, and his testimony is credible. Why would he introduce a massive programming error while optimizing OpenSSL software against bug fixes at the same time?
While the Heartbleed bug seems focused on user data and hackers, it’s also possible that the server could extract personal user data from any client. In other words, with the greater exchange of data between clients, servers, and normal users, data extraction is possible from any of these three mediums. A malicious server can do as much damage as a hacker if the Heartbleed bug is left unchecked. Even if someone patches up the Heartbleed vulnerability at a given site, one can still experience a reverse Heartbleed vulnerability and still be subject to a data encryption attack.

Hackers exploited Heartbleed to gather Private Security Keys

Heartbleed is an error, but it works. This seems to be proven true by two hackers, Fedor Indutny and Ilkka Mattila, who successfully completed Cloudflare’s challenge to hackers to see if anyone could steal the private security keys. Cloudflare claimed that its own researchers tried for two weeks (in vain) to access the private security keys – but one can never underestimate the skills of professional hackers. One of them, Fedor Indutny, posted his victory on Twitter Friday morning for all to see: “Just cracked @CloudFlare’s challenge: cloudflarechallenge.com/heartbleed. I wonder when they’ll update the page.”
Indutny submitted his victory announcement at 4:22:01PST on April 11th, followed by Ilkka Mattila at 5:12:19 PST, less than an hour later. CloudFlare updated its challenge page to include not just these two hackers, but an additional two: Cambridge University Security group member and PhD student Rubin Xu at 4:11:09PST on April 12th, as well as Security researcher Ben Murphy at 7:28:50 PST on the same day.
Since four hackers have now accessed the private security keys and proven CloudFlare wrong about Heartbleed, is this vulnerability as bad as it seems?

Heartbleed: NSA exploited it or not?

To learn about Heartbleed bug is unfortunate; but what may be even more shocking or appalling is that reports suggest the National Security Agency (NSA) was aware of the Heartbleed bug for at least two years but used it to gather intelligence on certain individuals under the government’s watchful eye. This news only adds fuel to the fire of the NSA’s role in spying on the lives of private American citizens. Edward Snowden is the American credited with revealing the NSA’s improper use of American data and personal information in recent months.
HeartBleed-NSA
The NSA responded to this claim by saying that it reveals all security risks when discovered and exposed: “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government wasn’t aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report…This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would’ve been disclosed to the community responsible for OpenSSL.”
However, some reports suggest that President Obama has given the permission to National Security Agency to exploit Internet security bugs in some cases.

Countries Reaction over it

The Federal Financial Institutions Examination Council (FFIEC) advised banks earlier this week regarding the Heartbleed bug and provided some steps necessary to ensure that banking website users are protected in the future. Of the steps provided, the FFIEC advised banks to make vendors who use OpenSSL aware of the Heartbleed vulnerability, upgrade systems with patches against Heartbleed, and then test these new upgrades to ensure that they are working properly.
Of the countries around the world reacting to the Heartbleed bug, Canada has been the most vocal. Canada’s Treasury Board issued a statement, telling Canadian officials to “immediately disable public websites that are running unpatched OpenSSL software. This action is being taken as a precautionary measure until the appropriate security patches are in place and tested.”

Websites prone to this error

What websites are prone to the OpenSSL vulnerability? A sufficient list (though by no means exhaustive) consists of the following:
  • Yahoo
  • AWS
  • Box
  • Dropbox
  • SoundCloud
  • OKCupid
  • Github
  • Minecraft
  • IFFT
  • Tumblr
  • Pinterest
  • Instagram
  • Facebook
  • 500px
  • Redtube
  • Flickr
  • LastPass
  • Duckduckgo
You can visit the Kaspersky blog to see if your website or a website in which you’ve an account is affected by the Heartbleed bug. Aside from these, shopping, banking, and other retail sites where you’ve entered and/or stored your personal credit card, debit card information or passwords, geographic address, and so on.

Mobile devices are vulnerable to Heartbleed

When the Heartbleed bug/OpenSSL vulnerability was announced a few days ago, tech analysts and Apple tech writers started blogging about the bug and encouraged users to change their passwords at most of their websites immediately. Fortunately, Apple issued a statement later in the week that should cause OS X and iOS users to breathe a sigh of relief: Apple’s desktop and mobile operating systems aren’t affected by the OpenSSL vulnerability. An Apple representative said “Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services weren’t affected.”
HeartBleed-Android
Google mobile operating system Android is affected by the Heartbleed bug, but only devices running Android 4.1.1 Jelly Bean. Google supplied this information on its Online Security Blog on Wednesday, April 9th: “All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1, patching information for Android 4.1.1 is being distributed to Android partners).” Android devices running 4.1.2 or higher are in the clear. The latest survey as of last month shows that Android 4.1.x is present on 35.3% of all Android devices, although there is little information on how many of these devices are still running Android 4.1.1. Google’s initiative on this matter is important indeed, for the 35% of potentially affected devices.

How to protect yourself from the Heartbleed Bug

What can you do to protect yourself from the Heartbleed bug? As has been recommended, changing your passwords at most if not all sites you use on a regular basis is an excellent idea. At the same time, however, you may change your passwords in vain if the website you use doesn’t install some sort of security patch to prevent possible hacker attacks in the days and months to come.
What you should know for now is that sites such as Yahoo, CloudFlare, Duckduckgo, Reddit, Launchpad, Netflix, Amazon, Paypal, Adobe, CloudFront, and Github have all issued new SSL certificates for their sites – so these sites should be fine. At the same time, it is reported that there are still nearly 500,000 or more SSL certificates from affected websites that have yet to be changed.
At this point, the best advice we can provide is to contact websites in which you’ve ever provided personal information (financial or otherwise) and seek to ask questions about the Heartbleed bug as well as what you can do. Changing your website passwords may be futile at this point, but you should contact your websites and see if or when they intend to issue new SSL certificates. If you hear back and are told that the SSL certificate has been changed, you can then change your usernames and passwords for the sites in question.
As with many things, the most that can be done for now is to either 1) change passwords at affected sites, 2) email websites important to you and inquire about the Heartbleed bug, or 3) sit and wait. I’ve a feeling that many of us will likely change our passwords instead of option number three.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)