What is Heartbleed?
It is one of the most wide spread vulnerabilities in internet. 
When was this discovered?
Around Monday, the 8th of April, 2014. Severe implications for the entire web community were foreseen. This bug can leak sensitive user information and personally identifiable information like usernames, passwords, SSNs, credit card numbers, bank account details and transactions. This bug has been in place since 2011. And all this bug does is compromise 64K of information from a piece of the storage. That's well enough to steal sufficient user personal information - more importantly that's also enough to get a private key and decrypt that to find the rest of the information.Who found the bug first?
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team (source:heartbleed.com). While this is not essentially a bug but a simple programming error that led to Heartbleed, Neel Mehta from the Google research community needs a big thanks for another reason - he also donated a $15,000 bounty he received as an award for discovering this bug to the Freedom of the Press Foundation's campaign for development of better encryption tools. According to LATimes, "Both teams found that OpenSSL, an open-sourced security encryption program used by 66% of Internet servers, had a flaw that would allow any hacker using a simple script to gain access to a treasure trove of personal information".
Who is responsible for this Heartbleed bug?
According to the Guardian, the programmer behind this code glitch was Robin Seggelmann who worked on the OpenSSL project for the Heartbeat extension. This extension is just an additional feature and is not the core part of the OpenSSL project. And since this was an open source in itself, one person cannot be blamed.Nomenclature. Why is it called as Heartbleed, what's the reason behind this nickname?
An engineer in Codenomicon coined it. The technical name, CVE-2014-0160 was named for the particular line of code that contained the vulnerable code. According to the systems administrator at Codenomicon who coined the term, he just played on the words 'heartbeat' which is an extension in the OpenSSL Toolkit. Ossi Herrala - the Codenomicon employee "thought it was fitting to call it Heartbleed because it was bleeding out the important information from the memory". They even went ahead and bought the domain heartbleed.com from a group who owned it as a music lyrics site, so as to spread this security flaw among the IT community and they are quite happy with the outcome and the way the IT community has responded quickly to correct the flaw. Basically they just had to upgrade the OpenSSL toolkit version to the latest one to overcome this security flaw.Why only few sites are affected?
Since the core problem was in the extension of OpenSSL toolkit called 'Heartbeat', which is the central point of vulnerability - any website which used this feature got affected. Although OpenSSL is popular, some websites used other SSL/TLS features and options. Some websites used an upgraded version or an earlier version of this toolkit, that's why they escaped this vulnerability. While this doesn't completely solve the problem at hand, not all companies use PFS or Perfect Forward Secrecy, a key agreement protocol in Cryptography. PFS keys are the most secured ones as on today as it ensures that the compromise of a single key permits access only to data protected by that single key. These have short shelf life, hence one key leak will not allow the leak of all data.Am I really affected? Why should I care?
This is simply not another virus or bug wherein an antivirus can help you on your computer or smartphone. This is a more complicated bug (actually a programming error) on the services you use like hosting providers, bank servers and email service providers. Technically speaking this is not a client-end problem but a server-end issue.Every user who uses email, browse internet, conduct business and ecommerce and every normal prudent surfer who cares for a secured browsing experience and have signed up for services, free or paid, online should care about this flaw and take corrective measures. More importantly if you have visited a website with HTTPS, trusting that it was a secured one all these days in the last few years, then you sure will be interested in knowing and learning about this further. And as an example, if you are a Gmail, Facebook or Yahoo email user, you better change your password now - for it is a suggested solution even by Google.
According to EFF (Electronic Frontier Foundation), this flaw allows an attacker who connects to an HTTPS server running a vulnerable version of OpenSSL to access up to 64KB of private memory space. Doing the attack once can easily cause the server to leak cookies, emails, and passwords. Doing the attack repeatedly can potentially leak entire encryption keys, such as the private SSL keys used to protect HTTPS traffic. If an attacker has access to a website's private SSL key, they can run a fake version of the website and/or steal any information that users send, including passwords, private messages, and credit card numbers. Neither users nor website owners can detect this attack as it happens.
How do I know if my bank account was also compromised using this flaw?
Most banks use proprietary encryption software instead of the open source OpenSSL. Still, it's wise to confirm with your bank information security personnel or their website for any press release related to this.
How do I know or check if a website has taken corrective measures or fixed this problem?
Password management companies have come up with ways in testing websites to check if the flaw has been corrected and if the website is safe or not. You can check LastPass - to see if the bug has been corrected by websites. Also, there would be press releases and news from the website themselves stating that the issues are fixed.For example, The Canada Revenue Agency has extended the filing deadline for tax returns and promised to resume e-services by the end of the weekend for all federal departments using software vulnerable to the Heartbleed bug (Source: www.cbc.ca)
How to protect myself against this security flaw?
Keep an eye on your financial statements and bank accounts physically, not online.Once you confirm that the bank websites are safeguarded, change your passwords.
Do not login to any sensitive accounts like bank websites and email accounts until you are sure that the flaw has been corrected.
Which websites need a password change right now?
You can first check what websites were affected and if they have taken corrective measures to release a patch. Mashable has collated a quite massive list of websites that need a password change. You can check them out here. These are some of the websites which were affected and corrected. So a password change is suggested, though not a must. As Google puts it, better be safe than sorry. Of course, keep in mind that the specific website must issue a patch to correct the flawed version of OpenSSL. Only then your password change makes sense.What versions of OpenSSL are affected?
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
(Source:heartbleed.com)
How widespread is this flaw in the internet sphere?
Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates. (Source: heartbleed.com)
Thanks to........?
Thanks to Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl at chromium.org> and Bodo Moeller <bmoeller at acm.org> for preparing the fix. (Source:https://www.openssl.org/news/secadv_20140407.txt)
Information collected and posted by Arun Sarathy
Resources: (Information sources)
http://heartbleed.com/
http://heartbleed.com/
http://www.cnet.com/news/heartbleed-bug-what-you-need-to-know-faq/
https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy
http://www.latimes.com/business/technology/la-fi-tn-how-the-heartbleed-bug-got-its-name-20140410,0,631939.story#axzz2ykahqqH2
http://gigaom.com/2014/04/08/heres-everything-you-need-to-know-about-the-heartbleed-web-security-flaw/
http://www.slate.com/blogs/future_tense/2014/04/08/heartbleed_openssl_encryption_bug_discovered_by_codenomicon_and_neel_mehta.html
http://www.dailydot.com/news/heartbleed-neel-mehta-freedom-press-foundation-encryption/
http://www.geekwire.com/2014/amazon-facebook-google-others-deploy-fixes-heartbleed-bug/
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/
http://www.theregister.co.uk/2014/04/08/aws_heartbleed/
No comments:
Post a Comment