Question

IT's About Business 4.1

The Heartbleed Bug

What Is Heartbleed?

OpenSSL, an open-source software package, is a popular type of transport layer security (TLS) software (discussed later in this chapter) that secures numerous websites around the world. Web servers use OpenSSL to encrypt sites. Such sites show up in browsers with a “lock” icon and the “https” prefix in the address bar. The encryption protects Internet sites offering banking, shopping, email, and other private communications. Roughly two out of three websites globally use Apache, a server software, which has OpenSSL built in. OpenSSL transmits data in an encoded form that looks like gibberish to anyone except authorized computers, which can unlock the data using keys.

Without OpenSSL, it would be virtually impossible to conduct e-commerce safely. Much of the software that connects devices in homes and businesses rely on OpenSSL to connect them to the Internet.

The Heartbleed bug is an encryption security flaw (a programming error) in the OpenSSL software package that was reported by the Google security team in 2014. The flaw resulted from an unintended coding mistake by a German researcher three years earlier.

Attackers can exploit Heartbleed to decode encrypted connections and hack in to user passwords as well as an organization's encryption keys. Hackers can spy on web transactions, email, and even some VPN communications. Heartbleed not only infiltrated servers using OpenSSL but also network equipment from Cisco and Juniper Networks. Heartbleed can give hackers access to all kinds of data from a server's memory, including SSL digital keys, usernames and passwords, and users' email, instant messages, and files.

Attacks Using Heartbleed

Many attacks exploiting the Heartbleed bug have been reported. Consider these examples:

• The Canada Revenue Agency (www.cra-arc.gc.ca) reported a theft of social insurance numbers belonging to 900 taxpayers. The agency stated that the attackers exploited the Heartbleed bug.
• A parenting website in the United Kingdom, Mumsnet (www.mumsnet.com), had several user accounts hijacked, and its CEO was impersonated.
• Interestingly, anti-malware researchers also exploited Heartbleed to access secret online forums used by cybercriminals.
• Attackers used Heartbleed to steal security keys from Community Health Systems, Inc. (www.chs.net), the second-largest for-profit U.S. hospital chain.

Repairing Heartbleed

The Google security team created a code fix for Heartbleed. Even after organizations install the fix, however, they have to take further measures. The reason is that a system attacked via Heartbleed may remain at risk after the vulnerability itself has been repaired because encryption keys could have been accessed and copied. To regain confidentiality and authenticity, organizations must create new private key–public key pairs, and they have to revoke and replace all digital certificates linked to these pairs. In addition, they need to replace all compromised authentication material (e.g., passwords).

The Results

The Heartbleed flaw could persist for years in places such as networking software, home automation systems, and even critical industrial control systems, because these are updated only infrequently. It can even infect hardware such as cable boxes and Internet routers.

The Heartbleed bug highlights a fundamental weakness in overall Internet security. Much of this security is managed by four European computer programmers and a former military consultant in Maryland. Most of the 11-member team are volunteers, and only one works full time. Their budget is less than $1 million per year.

And the final word? As of June 2014, more than 300,000 TLS-enabled websites remained vulnerable to Heartbleed. And the problem continued. In April 2015, security firm Venafi (www.venafi.com) found that more than 1,200 of the Forbes Global 2000 companies had not taken the steps necessary to repair Heartbleed vulnerabilities in all their servers.

Sources: C. Cerrudo, “Why the Shellshock Bug Is Worse Than Heartbleed,” MIT Technology Review, September 30, 2014; B. Blevins, “Community Health Breach Shows Detecting Heartbleed Exploits a Struggle,” TechTarget, August 22, 2014; W. Ashford, “Heartbleed Bug Linked to U.S. Hospital Group Attack,” Computer Weekly, August 21, 2014; B. Blevins, “Heartbleed Scan Shows Majority of Global 2000 Still Vulnerable,” Tech-Target, July 30, 2014; B. Blevins, “Successful Heartbleed Response Still Raises Important Questions,” TechTarget, July 11, 2014; F. Trotter, “Heartbleed Bodes Ill for Sensitive Health Data,” MIT Technology Review, April 22, 2014; J. Perlow, “Heartbleed's Lesson: Passwords Must Die,” ZDNet, April 11, 2014; E. Messmer, “Heartbleed Bug Hits at Heart of Many Cisco, Juniper Products,” Network World, April 10, 2014; M. Wood, “Flaw Calls for Altering Passwords, Experts Say,” The New York Times, April 9, 2014; “Three Questions About ‘Heartbleed’ Bug,” USA Today, April 9, 2014; S. Vaughan-Nichols, “How to Protect Yourself in Heartbleed's Aftershocks,” ZDNet, April 10, 2014; “The Under-Funded Project Keeping the Web Secure,” MIT Technology Review, April 9, 2014; N. Perlroth, “Experts Find a Door Ajar in an Internet Security Method Thought Safe,” The New York Times, April 9, 2014; H. Bray, “‘Heartbleed’ Internet Security Bug Is As Bad As It Sounds,” The Boston Globe, April 9, 2014; I. Paul, “The Critical, Widespread Heartbleed Bug and You: How to Keep Your Private Info Safe,” Network World, April 9, 2014; T. Simonite, “Many Devices Will Never Be Patched to Fix Heartbleed Bug,” MIT Technology Review, April 9, 2014; D. Talbot, “What Should You Do About Heartbleed? Excellent Question,” MIT Technology Review, April 9, 2014.

Questions

1. What are two lessons we can learn from the Heartbleed bug?
2. What actions should you personally take to combat the Heartbleed bug?

Answer 1

1. The two lessons we can learn from the Heartbleed bug are:

1. On the off chance that organizations who use OpenSSL don't refresh their rendition of the software, clients will, in any case, be defenseless. Upright destinations will address this promptly, though non-principled locales will never address it. Furthermore, there are numerous software items and sites that aren't influenced straightforwardly by any means.

2. Open Source transparency doesn't liken to trustworthiness. One of the guarantees of open source is that it is straightforward. Accepting that in light of the previously mentioned apparent transparency, it's totally without bugs or that it's inalienably progressively secure is a deception. Now and again it is, some of the time it isn't.

2. To combat the Heartbleed bug, we can take these actions:

1. Change your passwords on the entirety of your records. You may need or need to change your passwords again in half a month since if a particular site isn't fixed your new secret key will even now be defenseless until it is fixed.

2. If you don't as of now, utilize an encoded secret word manager. This is an application that can sit on your PC or advanced mobile phone (and many will synchronize between the two) and will keep the majority of your passwords in a scrambled structure, secured by a secret word. If somebody gains admittance to your PC or telephone, despite everything they can't get to your passwords since they are scrambled. Note that it is significant that you utilize a particular, remarkable secret key for your secret word guardian program. If you utilize a similar secret word for the program that you use for everything else, there is no reason for having the program.

3. Utilize extraordinarily and one of a kind passwords for each site. This is something that the secret phrase guardian program will enable you to do effectively. If it's not too much trouble cease from utilizing your child's center name, pet's name, and so on, as these are the most effortless ones to figure for an extremely unsophisticated assailant.

4. Utilize double factor confirmation at whatever point it is a choice. This means when you attempt to get to an online website from another PC, or after a timeframe, the webpage will send an instant message to your phone that you have to enter to get to the website. The vast majority keep their wireless with them 95% of the time, so this isn't so awkward as it might sound. It fundamentally anticipates somebody who gains admittance to your secret phrase (however any methods) from increasing free and full access voluntarily to your records and can go about as a notification alert on the off chance that somebody is attempting to get to one of your records without your insight.

5. Check with your most noteworthy hazard sites to check whether they were powerless. As such, call your banks and businesses to check whether they were helpless and on the off chance that they have fixed the powerlessness. If the client assistance rep doesn't have the foggiest idea, request to address a chief.