One of the worst threats to Internet Security, the Heartbleed bug, remained undetected in the very popular OpenSSL library for over two years. Now that it has finally been discovered and tested, security analysts are starting to realize that the bug poses an even greater threat than originally anticipated.
According to Codenomicon, a Finnish IT security firm, the Heatbleed bug lets hackers steal information typically protected by the SSL/TLS encryption that is used to secure communication over the Internet for various applications, including web, email, instant messages, as well as some virtual private networks (VPN). With Heartbleed, hackers have access to the memory of any system protected by vulnerable versions of the OpenSSL software.
By exploiting the bug, a hacker can retrieve up to 64kb of memory from a remote system. And while it is a tedious process, tests conducted to check the consequences of the bug have proven that everything from web content, names, and passwords of users, to secret keys used to identify security providers and to encrypt Internet traffic has been compromised. This information, if stolen, could then enable bigger attacks. The threat is even more dangerous considering the fact that it is almost impossible to retroactively detect any attack using Heartbleed on the system.
Neel Mehta of Google Security first discovered the bug on March 21. It’s only in the past couple weeks, however, that the bug has become public knowledge, as various companies race to improve their security. Among the confusion regarding vulnerability to the bug, the NSA has been accused by many to not only have had knowledge of the bug, but to also have utilized it to gather critical intelligence.
Bloomberg’s Michael Riley writes, “Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission.” In the process, the security agency left millions of users at the mercy of criminal hackers. However, the NSA has denied any knowledge of the bug before public disclosure.
Given how long it has taken to discover the bug, it is possible that very few hackers have had the chance to exploit it, even though using the bug to gather security certificates seems to have been very doable. Security certificates help browsers to determine the legitimacy of a website. If the security certificate for a website is invalid, most browsers would block access and warn the user. However, with a stolen certificate, made possible by the Heartbleed bug, a fake website could easily mimic a real one, and users could unknowingly feed sensitive information to a hacker.
CloudFare recently announced an open challenge to hackers to test the limits of Heartbleed. Within nine hours of the announcement (only three since he started working on the hack), a hacker named Fedor Indutny was able to obtain a security key. Another hacker, Ben Murphy, announced that the process took him a total of two hours.
Furthermore, two instances of hacking have already been reported. Nineteen-year-old hacker Stephen Arthuro Solis-Reyes was arrested by Canadian Mounties and was “accused of using the Heartbleed bug to hack into Canada Revenue Agency’s database and hijacking Social Insurance Numbers and other sensitive information from 900 taxpayers,” according to Time. The CRA was forced to take its website down while they worked on strengthening security. The second reported instance involved a hacker who was able to log into the Mumsnet server and access user data with the username and password stolen from Justine Roberts, the founder of Mumsnet.
Robin Seggelmann, the software developer who has taken responsibility for the bug, has stated that the bug was not inserted on purpose but instead was a “quite trivial” mistake. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” Seggelmann told The Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.” After he published the code, a reviewer “apparently also didn’t notice the missing validation, so the error made its way from the development branch into the released version.”
Experts believe that the bug, according to the Washington Post, has affected over 500,000 sites, and the necessary fix would be for all these sites to revoke their security certificates and issue new ones, a very time-consuming process. According to a list published by Mashable, the bug affected several popular services such as Yahoo Mail, Gmail, Intstagram, Pinterest, and Tumblr. Most of these companies have already patched the problem and suggest that users change their passwords, and none of them have announced any kind of breach yet.