The full scope of the Heartbleed bug came to light in a series of reports by researchers and white-hat hackers, as well as a statement allegedly from the government over its use of the bug.
The Heartbleed bug can, as many feared, be used to extract private SSL keys, the “Holy Grail” for a hacker – allowing access even if the Heartbleed bug is dealt with. Two white-hat hackers were able to extract keys – Fedor Indutny and Ilkka Mattila – were both able to use Heartbleed to extract private keys in a competition set up by data security company CloudFlare. The source of the bug, which has been active for at least two years, was errors introduced by a PhD student writing for the open-source company OpenSSL, as reported by We Live Security here.
“We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits,” said CloudFlare. The scope of the bug – which allows malicious individuals to extract information invisibly during an encryption process – was already causing widespread alarm.
Digital Trends reported that the ability to steal private keys raised the scope of Heartlbeed considerably. “Having access to these private keys means hackers can return even after the Heartbleed exploit has been removed through the window.” The ‘bad guys’ will only cease to have access to this key once the server’s security certificates are all updated – which tends to happen rarely — it’s akin to having the keys to a car rather than having to break in.
Ars Technica reports that this means that merely fixing the bug may not solve the problems Heartbleed has created. Private keys are used as ‘padlocks’ for a huge amount of private data across the internet, and it is now by no means certain that the keys to the padlocks have not already been stolen.
Merely updating the open-source tool may not be enough, Ars points out.”The results are a strong indication that merely updating servers to a version of OpenSSL that’s not vulnerable to Heartbleed isn’t enough,” the site said.
“Because Heartbleed exploits don’t, by default, show up in server logs, there’s no way for sites that were vulnerable to rule out the possibility the private certificate key was plucked out of memory by hackers. Anyone possessing the private key can use it to host an impostor site that is virtually impossible for most end users to detect,” the site writes.
The source of the bug, which has affected at least 500,000 sites and millions of users, was a small programming error made by a PhD student, who has spoken of his regret at the incident.
Forbes Magazine points out that few have investigated a potentially lethal aspect of the bug – its effect on smartphone apps, with Forbes claiming up to a billion handsets could be at risk. Forbes claims that any smartphone not protected by “enterprise grade” security may be at risk due to apps. “The Internet security world and the media have sounded alarms about potential vulnerabilities for consumers using “desktop” browsers to visit websites that may be running bogus server code. Yet little attention has been paid to the global problem of 40-60 billion active smartphone applications that may share some of those same servers or connect to their own group of servers that may also be compromised.”
The BBC reports that computers vulnerable to the bug are already being scanned – although it’s still not clear whether this is the work of researchers or cybercriminals. Around 500,000 servers are vulnerable according to Netcraft, although many have rapidly deployed the patch.
The bug, known as ‘Heartbleed’ is described as one of the “most serious security flaws ever found” according to the Telegraph’s report. It affects the open-source encryption software OpenSSL – which is used on millions of web servers – and has been undiscovered for more than two years. The Telegraph reports that it could have been used to steal passwords, credit card details and even encryption keys, without trace.
Major sites including Yahoo Mail and others, are vulnerable, and are scrambling to deploy fixes. A proof-of-concept exploit for the bug has already been posted on coding site Github.
The researchers who discovered Heartbleed say that it has left private keys and other secrets exposed “for years”. The researchers tested the vulnerability themselves and wrote that they were able to gain access to large amounts of data, leaving no trace of their presence.
“We have tested some of our own services from an attacker’s perspective,” they wrote. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication.”
The bug was discovered by researchers from Finnish firm Codenomicon working with Google. A dedicated website helps to explain some of the risks – although the researchers admit they do not know how widely the bug has been exploited.
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet,” the firm writes.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
ESET Senior Research Fellow David Harley offers advice on how to deal with problem, “Sites that have never run the 1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1 shouldn’t be panicking about this, but those that are running them need to upgrade to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS, as recommended by the OpenSSL security advisory. However, they should also be looking for and revoking (and reissuing) compromised keys, and changing user passwords. This applies even to sites that ran a vulnerable version for a while but have upgraded since, as the bug has been around since 2011. While I haven’t checked all the links and resources listed there, this site looks like an excellent starting point for sites that need to know more about the problem and its remediation, as well as the heartbleed.com page. It’s worth remembering that some embedded devices also use OpenSSL: it isn’t just a server issue.”
White-hat hackers Fedor Indutny and Ilkka Mattila successfully took on the Heartbleed hacking challenge laid down by Web performance and security company CloudFlare. “We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits,” said CloudFlare. Within nine hours, four more competitors had cracked the competition, and extracted private keys.
Big-name companies including Google, Yahoo and Dropbox are scrambling to update their systems to close the Heartbleed loophole, but the danger is far from over. Stay tuned to our lists of apps and websites that are affected for details of how to protect yourself, and follow any prompts you receive to reset your passwords from the online services you use.
TechRadar compiled a list of the best and worst advice from mainstream media – noting that for many sites, the demand for simplicity meant that the advice was, “Change your password and don’t use ‘password’ as your new password.” The incident has, at least, ignited serious debate over the security of passwords, and of encryption systems. Fox News reports that the Department of Homeland Security says that there is a clear need for the government to monitor web use.
CloudFlare wrote, ““Our recommendation based on this finding is that everyone reissue and revoke their private keys,” CloudFlare wrote in an update today. “CloudFlare has accelerated this effort on behalf of the customers whose SSL keys we manage.”
Author Rob Waugh, We Live Security