Heartbleed Bug: What is it, Who is handling our security?
By Deidre Richardson on April 19, 2014
The Heartbleed Bug has uncovered the hidden bitter truth about tech companies and the Federal Government. OpenSSL is used by most of the companies like Google, Facebook, Yahoo and Dropbox for online communication and earning billions of dollars. However, Steve Marquess, OpenSSL president revealed the truth in an open letter.
There is only one person Stephen Henson—UK based mathematician— working as a full-time employee for OpenSSL, along with Stephen and few developers, whose total labor amounts to two full-time employees. These employees supervise more than half a million lines of code.
According to Steve, OpenSSL has never received more than $1 million a year and typically receives about $2000 a year in outright donations and sells annual commercial software support contracts worth US$20,000 along with both hourly rate and fixed price “work-for-hire” consulting.
The Open SSL Foundation doesn’t have funds for its staff and is highly ignored by companies. Steve wrote, “These guys don’t work on OpenSSL for money. They don’t do it for fame (who outside of geek circles ever heard of them or OpenSSL until “heartbleed” hit the news?). They do it out of pride in craftsmanship and the responsibility for something they believe in.”
“I’m looking at you, Fortune 1000 companies,” he said.
Let’s take a look at the history of Heartbleed bug, explain the reason behind the Web hysteria, and provide some counsel on what you can do in light of the facts presented here.
OpenSSL: The Mother Of All Vulnerabilities
What is OpenSSL? OpenSSL refers to the name of a 1998 project that was started to encrypt websites and user information across the Web. The “SSL” in “OpenSSL” refers to a Secure Sockets Layer (also known as transport layer security or TLS), and OpenSSL is an open project (meaning any programmer or coder can work on it) that was designed to prevent hackers from retrieving personal data submitted by users to a website (such as a banking, shopping, or digital content website). Eric Young is responsible for the eventual establishment of OpenSSL, seeing that he started what ultimately became SSL software back in the 1990s. OpenSSL is an important undertaking, seeing that, without it, our personal information submitted across every website we hold dear could find its way into the hands of dishonest criminals.
Since OpenSSL is established to prevent hacker theft with internet data, it seems to be an important endeavor; yet and still, you wouldn’t recognize this right away. There are only eleven people currently that work in OpenSSL: 46-year-old British cryptographer Dr. Stephen Henson, volunteer Geoffrey Thorpe, two other British volunteers, a German developer, and a few others. Stephen Henson is the only full-time employee on the OpenSSL project. What started as a project committed to data encryption has now become standard on two-thirds of all websites on the Internet.
No wonder, then, that the OpenSSL vulnerability discovered this week is called “Heartbleed”: as it strikes at the heart of the most data-encrypted entity known to man.
Heartbleed: Is It A Simple Programming Error?
What is Heartbleed? Heartbleed is a bug discovered by Codenomicon employees Riku, Antti, and Matti, as well as Google employee Neel Mehta this week. Heartbleed is essentially a programming error that leaves all forms of Internet data open to hackers. It was introduced into the OpenSSL software library by 31-year-old Robin Seggelmann, a Frankfurt, Germany developer who says that it was likely introduced while he was working on OpenSSL bug fixes around twot years ago. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length.” The error was also missed by a reviewer responsible for double-checking the code, “so the error made its way from the development branch into the released version,” Seggelmann said.
It’s interesting to think about how a line of code could open a world of crime and identity theft for millions, but it’s true. Sometimes the smallest items in the world can do a lot of damage. Seggelmann denies that he introduced the programming error intentionally, and his testimony is credible. Why would he introduce a massive programming error while optimizing OpenSSL software against bug fixes at the same time?
While the Heartbleed bug seems focused on user data and hackers, it’s also possible that the server could extract personal user data from any client. In other words, with the greater exchange of data between clients, servers, and normal users, data extraction is possible from any of these three mediums. A malicious server can do as much damage as a hacker if the Heartbleed bug is left unchecked. Even if someone patches up the Heartbleed vulnerability at a given site, one can still experience a reverse Heartbleed vulnerability and still be subject to a data encryption attack.
Hackers Exploited Heartbleed To Gather Private Security Keys
Heartbleed is an error, but it works. This seems to be proven true by two hackers, Fedor Indutny and Ilkka Mattila, who successfully completed Cloudflare’s challenge to hackers to see if anyone could steal the private security keys. Cloudflare claimed that its own researchers tried for two weeks (in vain) to access the private security keys – but one can never underestimate the skills of professional hackers. One of them, Fedor Indutny, posted his victory on Twitter Friday morning for all to see: “Just cracked @CloudFlare’s challenge: cloudflarechallenge.com/heartbleed. I wonder when they’ll update the page.”
Indutny submitted his victory announcement at 4:22:01PST on April 11th, followed by Ilkka Mattila at 5:12:19 PST, less than an hour later. CloudFlare updated its challenge page to include not just these two hackers, but an additional two: Cambridge University Security group member and PhD student Rubin Xu at 4:11:09PST on April 12th, as well as Security researcher Ben Murphy at 7:28:50 PST on the same day.
Since four hackers have now accessed the private security keys and proven CloudFlare wrong about Heartbleed, is this vulnerability as bad as it seems?
Heartbleed: NSA Exploit Or Not?
To learn about Heartbleed bug is unfortunate; but what may be even more shocking or appalling is that reports suggest the National Security Agency (NSA) was aware of the Heartbleed bug for at least two years but used it to gather intelligence on certain individuals under the government’s watchful eye. This news only adds fuel to the fire of the NSA’s role in spying on the lives of private American citizens. Edward Snowden is the American credited with revealing the NSA’s improper use of American data and personal information in recent months.
The NSA responded to this claim by saying that it reveals all security risks when discovered and exposed: “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government wasn’t aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report…This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would’ve been disclosed to the community responsible for OpenSSL.”
However, some reports suggest that President Obama has given the permission to National Security Agency to exploit Internet security bugs in some cases.
Countries React to The Heartbleed Bug
The Federal Financial Institutions Examination Council (FFIEC) advised banks earlier this week regarding the Heartbleed bug and provided some steps necessary to ensure that banking website users are protected in the future. Of the steps provided, the FFIEC advised banks to make vendors who use OpenSSL aware of the Heartbleed vulnerability, upgrade systems with patches against Heartbleed, and then test these new upgrades to ensure that they are working properly.
Of the countries around the world reacting to the Heartbleed bug, Canada has been the most vocal. Canada’s Treasury Board issued a statement, telling Canadian officials to “immediately disable public websites that are running unpatched OpenSSL software. This action is being taken as a precautionary measure until the appropriate security patches are in place and tested.”
Websites Prone To The Heatbleed Bug
What websites are prone to the OpenSSL vulnerability? A sufficient list (though by no means exhaustive) consists of the following:
You can visit the Kaspersky blog to see if your website or a website in which you’ve an account is affected by the Heartbleed bug. Aside from these, shopping, banking, and other retail sites where you’ve entered and/or stored your personal credit card, debit card information or passwords, geographic address, and so on.
Mobile Devices Are Vulnerable To Heartbleed
When the Heartbleed bug/OpenSSL vulnerability was announced a few days ago, tech analysts and Apple tech writers started blogging about the bug and encouraged users to change their passwords at most of their websites immediately. Fortunately, Apple issued a statement later in the week that should cause OS X and iOS users to breathe a sigh of relief: Apple’s desktop and mobile operating systems aren’t affected by the OpenSSL vulnerability. An Apple representative said “Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services weren’t affected.”
Google mobile operating system Android is affected by the Heartbleed bug, but only devices running Android 4.1.1 Jelly Bean. Google supplied this information on its Online Security Blog on Wednesday, April 9th: “All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1, patching information for Android 4.1.1 is being distributed to Android partners).” Android devices running 4.1.2 or higher are in the clear. The latest survey as of last month shows that Android 4.1.x is present on 35.3% of all Android devices, although there is little information on how many of these devices are still running Android 4.1.1. Google’s initiative on this matter is important indeed, for the 35% of potentially affected devices.
How To Protect Yourself From The Heartbleed Bug
What can you do to protect yourself from the Heartbleed bug? As has been recommended, changing your passwords at most if not all sites you use on a regular basis is an excellent idea. At the same time, however, you may change your passwords in vain if the website you use doesn’t install some sort of security patch to prevent possible hacker attacks in the days and months to come.
What you should know for now is that sites such as Yahoo, CloudFlare, Duckduckgo, Reddit, Launchpad, Netflix, Amazon, Paypal, Adobe, CloudFront, and Github have all issued new SSL certificates for their sites – so these sites should be fine. At the same time, it is reported that there are still nearly 500,000 or more SSL certificates from affected websites that have yet to be changed.
At this point, the best advice we can provide is to contact websites in which you’ve ever provided personal information (financial or otherwise) and seek to ask questions about the Heartbleed bug as well as what you can do. Changing your website passwords may be futile at this point, but you should contact your websites and see if or when they intend to issue new SSL certificates. If you hear back and are told that the SSL certificate has been changed, you can then change your usernames and passwords for the sites in question.
As with many things, the most that can be done for now is to either 1) change passwords at affected sites, 2) email websites important to you and inquire about the Heartbleed bug, or 3) sit and wait. I’ve a feeling that many of us will likely change our passwords instead of option number three.