I’m sure that many of you will have already read the recent announcements about the latest threat to online security – The “heartbleed bug”.
But what is this heartbleed bug and how could it have effected me ?
So what is being dubbed as the “Heartbleed bug” is a security flaw that was first made public at the beginning of this week.
What the bug does, is it enables anybody with an Internet connection and the knowledge of how this bug works to read the memory of websites and systems protected by vulnerable versions of Open SSL.
Open SSL is the industry standard when it comes to securing information being sent online, what is basically does is it enables websites and systems to encrypt and decrypt information before being sent over the internet. (It takes your information, and rewrites it in a special code that only systems you grant access to can read)
Any website that processes payments on their website is actually required by the processors to have encryption enabled. This is and has been for a long time the industry standard and main way that information is secured when being sent online.
So this could mean that credit card details, sensitive medical information and even criminal records could potentially be leaked.
Essentially anything that is entered into a secure form online on an effected system could be decrypted by the hacker and used as they wish.
The information could also be used to impersonate services and users and in turn gain access to all manner of systems and additional information stored elsewhere.
Its being called the heartbleed bug because of the way it works, essentially a malicious user would send a special message to an effected system, this message would prompt the system to send a message back with some of the contents of the systems memory. Its being called the heartbleed bug because when exploited it causes the information at the heart of the system to literally leak (or bleed) out.
So what’s open SSL and what versions are “vulnerable”
Open SSL is an open source and very popular toolkit that is used to allow websites and other online systems to use encryption.
SSL and TLS are the industry standard ways of securing information being sent online. Any time you are accessing a website with https:// or sftp:// you are accessing it via one of these methods. The same system is used when you select “send messages securely” or alike in your email programme.
The bug itself was actually introduced into OpenSSL in March 2012 with their version 1.0.1 of the software, earlier versions are actually unaffected, this is perhaps one of the most annoying issues with the bug, it only effects people who were doing everything properly. Keeping their software up-to-date and securing sensitive information with industry standard encryption.
This issue is actually caused by a bug in the system, a human error in the code. As it was first introduced in March 2012, its hard to tell if or when someone first picked up on this bug before it was made public. It is known however that the programmer who made the fateful error was a coder called Robin Seggelmann a german based priogrammer who has just completed his PhD theseis on “Strategies to Secure End-To-End Communication”.
The scary thing is that this bug could have been exploited for a long time and big pools of information may have already been collected. We just don’t know, in all fairness the knowledge of this bug would be of immense financial value in the right hands and it would certainly be in the best interest of anybody discovering it to keep quiet about it.
In the wake of Edward Snowdens revelations of mass NSA surveillance conspiracy theories are already starting to be formed.
The Sunday morning herald reported that Seggelman has denied deliberately creating the bug, saying it could “be explained pretty easily.”
He does, however, know why it’s “tempting” to see the error as intentional. He calls Heartbleed “a simple programming error” that was “not intended at all”—(but that it’s absolutely possible that intelligence agencies like the NSA have made use of the vulnerability since it was introduced).
At the time it was first announced it was estimated that the bug could have affected 17% of secure servers. This is unfortunately just the tip of the iceberg as this is the actual effected machine, most modern systems use big groups of machines and it only takes one insecure system in the network for the data to be stolen.
What could be leaked?
Encryption is used to protect all manners of sensitive information online. Information is generally encrypted for the specific purpose of protecting information that may harm your privacy or security if leaked.
Information that could potentially be leaked by the heartbleed bug can be put into 5 categories;
1 – Primary heart bleeds
This is the holy grail of information when it comes to encryption, leaked primary keys would allow an attacker to decrypt any sensitive information sent over a website (past, present and future (until the bug has been patched)). Anything protected by the encryption could be bypassed completely. If your primary key has been leaked new keys will need to be issued, all active connections stopped, all sessions and all cookies updated. Unfortunately any information leaked prior to fixing this would still be vulnerable.
2 – Secondary heart bleeds
Many websites use secure forms for logins. With vulnerable websites this information could be captured and any usernames and passwords entered leaked. This could then be used by the attacker to gain access to whatever parts of the website the original user has or could be used to impersonate you on the website, change some of the information or do all manner of malicious things. Once a site has been secured you should check any information, check if any sensitive information may have been leaked and take steps accordingly. Also change any passwords and if possible usernames.
3 – Protected heart bleeds
Any information that the Webmaster or system owner has tried to protect. Financial information, personal details, medical records, whatever. If the information is transmitted via openSSL it could be potentially leaked. Consider any information you have entered directly into a secure form.
4 – Collateral heart bleeds
Ok this is less of an effect for the end user but could be potentially serious for any webmasters or server owners. Technical server information and information about server security could potentially be leaked and used to launch further attacks.
5 – Heart attacks
Considering the other information that may have been leaked, it should be considered what other applications a user may gain access to from the leaked information. If server details may have been compromised all files should be checked for malware, It could certainly be a possibility that now the bug is public that people may use the window between the exploit being made public and the bug being patched to prepare future attacks or plant malware to facilitate future attacks.
It is possible that we may see a second wave of issues presented by this bug as OpenSSL is built into a vast amount of internet hardware and 3rd party security tools, many of these won’t be so easy to patch or may be no longer supported by the original developer. Examples would include cable boxes and wireless routers where openssl is built into the devices.
What we have done
When we first heard about this bug at the beginning of the week we performed an immediate patch on our server and contacted all parties we believed to be most at risk. We have also changed all of our core passwords, user passwords are limited in the access they can achieve and through log anlysis we found no suspicious user activity or anything that would lead us to believe we had been compromised.
We do not believe that any of our servers were compromised but we did have some servers in our cloudworks network that used OpenSSL. If you are an existing client or would simply like one of our consultants to provide a security audit, please do not hesitate to get in touch.
What you can do
Now that this bug is public and because of how simple it actually is to exploit it is very important to be extra vigilant until webmasters have managed to catch up to the problem.
Avoid sending any kind of secure information on any website or system that does not explicitly state they have patched the issue or are unaffected. CNET have produced a list of the top 100 websites and whether they are effected by the heartbleed bug, not surprisingly there are none that have publicly stated they were vulnerable but quite a few did fail basic vulnerability tests conducted by Qualys. A more uptodate list of the major websites has also been compiled on mashable.
Once you are sure a website is secure, change any login passwords you have on it. (See secure passwords below)
You bank should contact you if necessary but it may be beneficial to cancel any cards you have used online or may have been transmitted by another company online.
Check your bank statements for any transactions you don’t recognise and keep an eye on your accounts, if you notice anything suspicious call your bank straight away.
It may also be beneficial to get a copy of your credit report or sign up to a credit report alert service, look for any accounts you don’t recognise.
If you are a webmaster, Contact your web host if your not hosted on our CloudWorks server and ensure they are aware of the issue and have updated everything, (if you are, we have been in contact with all of the sites we have deemed most at risk and will be contacting all other clients hosted with us to provide an assessment of your project)
A few online services have become available to check if a server has been effected by the heartbleed bug. You should check your server straight away.
Any emails you use, you should contact your email provider and ensure they are either unaffected or have patched the bug. Once you are sure they are secure change your passwords on all accounts.
If you have an ssl certificate, you should contact your certificate issuer and get it reissued, you will need to contact your host to remove the old certificate and install the new one.
If you own a server network, check with all connected servers as well as your own, if any use openSSL ensure you are using the latest version. (A patch was released on 7th April), It would also be advisable to look out for additional patches over the next few months. Ensure you also re issue any ssl certificates installed on the server. Disconnect all connections, change all secret keys and change all passwords. You should make an announcement to your customers and any stakeholders about the steps taken to remedy the situation.
Once you are sure your site and server is secure you should change all passwords, this includes databases, emails and website logins.
You should use a secure password at least 12 characters long containing no recognisable words, capital letters, lower case letters, numbers and characters (a combination of all). If you have trouble remembering passwords try using miss spellings of words you are familiar with, use capitals in random places and combine them with a minimum of 4 random numbers and at least 1 character, (not a date) (securing passwords like this isn’t to prevent the Heartbleed bug but is good practice and helps to keep out some other common exploits)
For those interested in finding out more about the technical side of the Heartbleed bug you can checkout this excellent video by Computer security company Elastica inc
If you’re still craving for more information here’s a few more resources;
OpenSSL project: https://www.openssl.org/
Original Mitre security alert for the heartbleed bug:
BBC News: http://www.bbc.co.uk/news/technology-26969629