Getting to the Heart of the Heartbleed Bug

Getting to the Heart of the Heartbleed Bug

Heartbleed Bug

Nearly two months has elapsed since the Heartbleed bug jolted the cyber community awake. Since then, media outlets have found plenty of other cyber news to adorn their pages:

  • Thai authorities arrested and charged a hacker with stealing millions from Swiss banks
  • The U.S. indicted five Chinese nationals with espionage
  • The CEO of Cisco claims the NSA has load stations for implanting spy equipment in U.S. made products
  • Syrian hackers hijacked the WSJ Twitter accounts and began making prankish announcements before the media outlet pulled the plug

Life goes on.

But how many people really understand what the Heartbleed bug was? And, what can people take from this experience to maximize their online security?

Here’s a summary.

Discovery and Dissemination

Thanks to Ben Grubb from the Sidney Morning Herald, who compiled this Who Knew What When timeline:

Friday, March 21st, Neel Mehta and his team from Google Security discover the OpenSSL crypto-library vulnerability known as Heartbleed (CVE-2014-0160):

Friday, March 21st, Adam Langley and Bodo Moeller of Google prepare a “missing bounds check” and forward it to Red Hat and others. The patch is progressively applied to Google services/servers across the globe.

Monday, March 31st, Cloudflare finds out and patches.

Tuesday, April 1st, Google notifies OpenSSL.

April 1st, OpenSSL notifies core team members. They plan to PUSH a fix but it gets postponed to April 9th, to give proper time for processes.

Wednesday, April 2nd, Security engineers at the Finnish company Codenomicon Defensics—Riku, Antti, and Matti, discover the same bug separately.

Thursday, April 3rd, Codenomicon notifies the National Cyber Security Centre Finland.

Friday, April 4th, Akamai Technologies patches its servers. They Claim OpenSSL informed them about the bug. OpenSSL denies the claim.

Friday, April 4th, rumours spread within the OpenSSL community about a about bug.

Saturday, April 5th, Condenomicon purchases the Heartbleed domain name, where it later publishes information about the security flaw.

Saturday, April 5th, OpenSSL publishes something to its Git repository.

Sunday, April 6th:

  • National Cyber Security Centre Finland NCSCF reaches out to the government funded CERT Coordination Center in America
  • OpenSSL notifies Linux
  • Heartbleed Bug added to RedHat’s bugzilla
  • RedHat notifies its private distribution list
  • Wall Street Journal hears about bug
  • Facebook gets a heads up from a friend

Monday, April 7th, Google posts findings on their Application Security page.

  • NCSCF reports Heartbleed to OpenSSL
  • OpenSSL core team assesses greater risk with two finds and releases patches later that day
  • Fix for OpenSSL Heartbleed bug in OpenSSL’s git repository
  • New OpenSSL version openssl-1.0.1g.tgz now on OpenSSL server
  • OpenSSL publishes security advisory
  • Sends advisory to mailing list
  • Cloudflare posts a blog about the Heartbleed bug
  • Cloudflare tweets about the post
  • Neel Mehta and Codenomicon tweet about it
  • General Public becomes aware 1:13 PDT
  • Ubuntu comes out with a patch

Description of the Heartbleed Bug

The problem was that the Heartbeat—the authentication or transport layer security TLS feature—could reveal up to 64kB of memory. Hackers would simply need to ask for response to come in the form of a short sequence plus an additional “so many” characters. The additional characters consisted of memory and could include all kinds of sensitive information including passwords, usernames, and private keys.

Neel Mehta’s (Google) report said:

“A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.”

It was just a little omission of code. It could have happened to anyone. The fix plugged the hole by defining where to end the sequence.

Aftermath

So companies took action. They downloaded the fix. They told their clients to change their passwords.

Experts recommend using a different password for each account.

Things got resolved. People moved on.

What Versions Were Vulnerable?

Two versions of OpenSSL carried the Heartbleed bug—1.0.1 and 1.0.2 beta releases.

These releases happened between December of 2011 and March of 2012.

But, how do you know what release you have? It doesn’t matter. Just download the fix, then change your password and you’re done. Some experts recommend doing a third party security assessment after the fix to validate.

The initial tally of those at risk included twenty percent of webservers on the Internet, and Android smartphones including the Jelly Bean models running 4.1.1. Mandient reported that black hats used Heartbleed to impersonate customers of one of their clients, and using private keys, hacked into the client’s VPN.

What is OpenSSL?

OpenSSL was a project founded in 1998, to invent a free or open source set of encryption tools for the code used on the Internet.

The SSL or Security Sockets Layer is the standard security protocol linking a web server to a browser. The SSL unlocks the encryption for your data using a certificate, identifying your website and your company. This certificate consists of two crypto keys: one public, one private.

The vulnerability occurred within the private key. Some websites are getting their OpenSSL certificates revoked and relicensed. It’s effective but expensive.

Where does OpenSSL fit in the overall scheme of how a computer functions?

I asked Ken Hess, a frequent contributor at ZDNet, owner of The Frugal Networker, and a Linux and Windows expert for his insight on the OpenSSL vulnerability. He explained, “The Heartbleed bug is outside a computer’s OS—Windows or Linux.”

It’s an add-on program vulnerability in the OpenSSL library. Any program using SSL [port 443] for security is/was vulnerable to it—secure shell SSH [port 22], sites that use SSL and certification, and so on.”

  • SSL is used in transmitting credit card, tax, and banking data
  • SSH is used to connect one computer to another

Known Damage

Some of the earliest known victims were Canadian taxpayers. Within days after the general announcement, a teenager allegedly hacked into the Canadian Revenue Agency and accessed details from 900 accounts.

The second was another Canadian group called Mumsnet.

What’s Been Done Since the April 7th Announcement?

Little by little, reports have filtered in—SoftPedia News is posting these developments as they complete.

  • April 25th, all government sites were patched
  • Google, Facebook, Amazon, Microsoft and Cisco have joined forces to make sure something like this doesn’t happen again
  • The Linux Foundation funded a massive collaboration which includes OpenSSL
  • NSA admits to keeping some Heartbleed-like bugs secret
  • Siemens patches Heartbleed in their Industrial Products

Heartbleed illuminates the risk of doing business on the Internet.

I recently read a list of five questions investors should ask financial institutions. One of the questions was: Do you have cyber liability insurance? The writer has a point.

The Heartbleed event appears to be calming down. That’s definitely a good thing, but it’s still a sobering reminder of how insecure the internet can be without the work of dedicated security researchers, open source development, and transparency. And the latter we definitely need quite a bit more of.