Over Easy: The Heartbleed OpenSSL Bug
The OpenSSL security bug known as Heartbleed was a huge technology failure that has opened the door to criminal hackers — and probably the NSA, though they’ve vehemently denied knowing about it.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 [public key] certificates, user names and passwords, instant messages, emails and business critical documents and communication.
As of 2014, two-thirds of all web servers use OpenSSL. But its project management team is made up of 4 people, and the entire group has only 11 members, of which 10 are volunteers, with lead developer Stephen Henson the single full-time employee. It is just one recent demonstration of how substandard the USA’s investment in its cybersecurity infrastructure really is. For example, in a typical year, the OpenSSL Software Foundation receives just $2,000 in donations (to support security software on those 2/3 of all web servers).
When researchers announced that they had discovered the Heartbleed bug, it had been present in OpenSSL software for several years, but they did not know whether it had been exploited to launch attacks. Now it is forcing websites to issue new certificates, and is causing a lot of us to change and strengthen passwords on dozens of websites, especially those we access to purchase goods and services, do banking, and pay bills. This is not necessarily a bad thing, given how complacent many of us have been about our passwords.
Bruce Schneier, a security expert, explains a bit about how Heartbleed works on his Schneier On Security blog.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.
On Monday, Canada’s Revenue Agency said private information of 900 people had been compromised, and security experts warned that more attacks are likely to follow. Hackers were able to steal social insurance numbers (like our Social Security numbers) that Canadians use for employment and access to government benefits, and possibly some other data.
Lior Div, chief executive of the cybersecurity firm Cybereason, said that ‘even non-sophisticated hackers’ will attempt to launch attacks that exploit the vulnerability with the tools that are publicly available.
‘We are in a race,’ Div said. ‘People who hadn’t thought about using this type of attack will use it now.’
A top rated password management company called LastPass provides a Heartbleed Checker tool that allows individuals (not limited to their customers) to enter a website URL and determine whether it used OpenSSL, and if so, whether it has been patched. For example, my investment company website got a green light, as did my credit union, but here’s what the tool showed for Facebook:
WARNING: www.facebook.com was confirmed as vulnerable either publicly via statement or on 4/8/2014 LINK
Assessment: Change your password on this site if your last password change was more than 1 week ago.
So what do we do now?
I would strongly encourage you to use the Heartbleed Checker tool linked above, especially on sites where you bank, invest, or transact any sort of personal business. Check your email provider, too! Google/GMail was vulnerable, but is now safe, so if you use those, change your password.
If you use the web as most of us do these days, I recommend acquiring and using password management software, such as 1Password or LastPass, to generate the majority of your passwords. But for email, banking and the password to your password manager “vault” I suggest a method of selecting random words from the dictionary called Diceware. It is a bit time consuming to set up, and involves rolling dice, but probably is worthwhile for sensitive passwords. If that seems too hard, just make your password or passphrase at least 30 or 40 characters long, if possible. Keep in mind that it isn’t just password guessing you want to thwart, but the software password crackers that can decipher even complex passwords in a couple of hours — or a couple of minutes.
We can’t be 100% protected from hackers (or from the NSA!) but we can put extra effort into making our online lives as secure as possible.