Über nasty Heartbleed bug exposes fabric of the Internet

April 9th, 2014


By Byron Acohido, Last Watchdog

KINGSTON, Wash. – An über nasty security flaw has arisen from the din to command the attention of the global security community, rightfully so.

The so-called “Heartbleed” flaw represents a path bad guys can use to tap into OpenSSL, the open-source implementation of the SSL and TLS protocols that are used all across the Internet to encrypt sensitive data.

“This is a very serious vulnerability. It allows attackers to see a portion of the contents of memory of the vulnerable server,” says Matt Willems, LogRhythm Labs engineer. “This particular vulnerability still exists in many locations, so changing your password may just mean that the new password is vulnerable.”

John Miller, Security Research Manager at Trustwave, observes that the Heartbeat flaw was spawned when OpenSSL was tweaked more than two years ago. He says it makes sense that criminals took notice prior to good guy researchers at Google and a small security firm, codenomicon, identifying the flaw this week.

Miller

Miller

“Attackers may have already exploited the vulnerability, stealing passwords, payment card information and other sensitive data without the end-user or business even realizing it,” Miller says. “And, unfortunately, this attack will most likely have a long tail.”

By impersonating the server, attackers can decrypt traffic moving in and out of a business’ network to steal sensitive data. Even worse, they can grab private encryption keys, opening a Pandora’s box of exposures, says Jean Taggart, senior security researcher at Malwarebytes.

With possession of private encryption keys, an intruder can “impersonate the victim, and set up an undetectable man-in-the-middle attack,” says Taggart. “This is a huge issue that impacts the fabric beneath secure communications on the web.”

Small business exposure

Attackers can take advantage by decrypting traffic moving in and out of a business’s networks to steal sensitive information or gain access to users’ accounts. Small businesses that contract out hosting services, in particular, may be unaware of data leaking through the Heartbeat weakeness.

Advises Miller: “Smaller businesses should talk to their website host and make sure their OpenSSL software is up-to-date and patched in addition to getting a new certificate and expiring all of their active sessions.”

Ramzan

Ramzan

In the video above, Elastica’s CTO Zully Ramzan does an excellent job breaking down the technical makeup and associated exposures of Heartbleed.

“The most worrisome aspect is the sheer scope of this vulnerability. It impacts a large fraction of servers on the Internet. More so, there is a very real risk that your past data, that you thought was safeguarded, could wind up in the hands of attackers,” Ramzan says.

Ramzan says he is unaware of specific evidence affirming that bad guys have known about the Heartbleed hole for some time and, in fact, have already been exploiting it. “The good guys noticed it last week and it was just announced publicly a couple of days ago. But the flaw itself has been there unnoticed for two years, so it’s theoretically possible that cybercriminals have been exploiting it,” Ramzan says. “It turns out that the attack can be mounted without leaving any traces, so we have little visibility into how widespread it might have been.”

OpenSSL is  pervasive. It runs on Windows, Linux, Apple OS/X, Solaris and the BSD operating systems. “Almost everyone uses it,” says Steve Pate, chief architect at HyTrust. “Given that over half of the world’s webservers use Apache and Apache uses OpenSSL, the majority of people are using applications built on top of OpenSSL on a regular basis.”

Pate points out that not all versions of OpenSSL have the Heartbleed flaw. The 1.0.1 and 1.0.2-beta releases have the bug and a fix has already been implemented. “This is one of the benefits of an open source software project,” Pate asserts. “Changes are generally easier to detect and fixes tend to come quickly.”

The downside of open source

Perhaps not quickly enough. The discovery of fresh flaws in platforms and apps happens continually, by good guys and bad guys. Follow-up exploits to take advantage of newly-disclosed flaws now show up in public forums in days or even hours, compared to months or weeks. In the background,  organized crime moves swiftly and  efficiently to take full advantage without raising alarms. “Given the simple but devastating effect of the flaw, I’m fairly certain that people are mounting attacks as we speak,” Ramzan says.

LogRhythm’s Willems says now is the time for consumers and web site owners to be meticulous about using security best practices. Individuals should change passwords regularly and follow instruction from any legit alerts from trusted online vendors.

Web site owners, hosting companies and anyone else using OpenSSL should immediately upgrade to OpenSSL 1.0.1g. “Both open source and commercial software have seen these types of vulnerabilities in the past and will continue to in the future,” Willem observes. “One of the big differences is that open source software vulnerabilities tend to be discovered by a community and quickly patched while commercial software vulnerabilities are often patched behind the scenes.”

This is a hot topic. Respondents to the last two (ISC)2 Global Information Security Workforce Studies have identified software vulnerabilities as the number one security threat.

“An argument could be made that the collaborative nature of open-source software development compounds the challenge of ensuring security is considered throughout the software life cycle,” David Shearer, Chief Operating Officer at (ISC)2 chimes in. “One could go as far as to say that we may be heading toward a time where some of the key security architecture components that are available as open-source software may need to be more closely managed and monitored.”

In the meantime, thousands of companies and organizations will be in a pickle, says Nathaniel Couper-Noles, principal security consultant at Neohapsis, noting that many have only limited capacity to identify whether they’re vulnerable, and whether they’ve been hacked.

“The best short term fix – patching or upgrading the software – may prevent future breaches but the horse may already be out of the barn, so to speak, if passwords or SSL keys were compromised before the patch was in place,” Couper-Noles says. “It may take a considerable amount of effort and money to re-establish a nominal security level.”