What is Heartbleed?

The coverage of Heartbleed  vulnerability in OpenSSL recently varies in its usefulness of the information presented in the articles. Some skim over the actual flaw and do not go into much detail what is involved in the flaw. The Heartbleed vulnerability is NOT a virus. It is a flaw in software running on some website servers. This software’s purpose it to ensure the connection between the server and your computer is secure. This type of connection is usually indicated in your web browser (Internet Explorer, Firefox, Chrome etc.) by https:// and a padlock or similar icon in your browser’s address bar. The affected software is OpenSSL which is an open source package the 2/3 of the internet servers that are using secure connections. The flaw was present in OpenSSL since early 2012 but only was recently discovered by researchers from Codenomicon and Google. Only versions 1.0.1 through 1.0.1f of OpenSSL are affected. Some servers are not affected by the flaw. These servers are either running a different version of OpenSSL or another encryption package to secure the connection. There is no easy foolproof way of the end-user to determine what version a website is using.

The amount of data that is retrievable in one session is up to 64KB and is composed of what is currently in the web server’s memory.  This could be random garbage or indeed login information containing username and password of a particular user. It could also contain the secret encryption key that the server uses to create a secure connection between the server and the client’s browser. This process can be repeated over and over. Since the information being returned is random in nature it means a hacker can not specifically request information on a particular account.

Some news stories also mention that rogue websites could pose as legitimate websites using the captured secret encryption keys and trick you into logging in with your user information. This man in the middle attack would mean that they would have to intercept your communications you and the actual website. Another means would be to send out phishing emails enmasse to try to trick you into logging into these rogue websites.

What you can do

Some new stories say to change all of your passwords right away. This is not going help if an affected website has yet to apply the OpenSSL patch and reissue their security certs. Without the patch in place your new password could still be sniffed by a hacker.

The information presented on some new stories and websites give a list of websites which to say the least are vague. One website reported that Microsoft was affected. It gave no mention what service from Microsoft was affected. Another website indicated that an official from Microsoft said that their servers were not affected. Dispersing vague information regarding what websites are affected is contributing to the FUD regarding this flaw.

The onus is on services, whose OpenSSL was affected but subsequently patched and whose security certs were reissued. These services should alert their end-users suggest to them to change their password. Most end users applaud services who are up front with their end-user when it comes with security issues and alert them when a problem arises. Sweeping it under the rug and not alerting end users of issues does not go over well.

There has not been any evidence that this bug has been exploited by hackers before the bug’s existence was announced to the general public on April 7, 2014. As the bug only retrieves information currently in the web server’s memory, If you did not login to an affected website between April 7th and the time that the web server’s OpenSSL was patched, you should be safe.

On April 14,2014 Revenue Canada announced that during a 6 hour period before CRA disabled public access to logins on April 8th that

“Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. “

I suspect that perhaps a login credentials to an account was obtained by a hacker and that information allowed them to gain access to 900 SIN #s. This type of access would also allow the person to remove i.e. delete these SIN #s from CRA system. Heartbleed bug simply allows one to capture random information that is currently in the ever changing memory of the webserver. I find it hard to believe that a hacker was able to repeatedly request 64KB chunks of server memory and find that many SIN #s in the results. This also would not allow the person or persons in question to remove the information off of CRA system.

Why these types of logins are not using 2 factor authentication is beyond me. Two factor authentication requires a username and password along with entering always changing key that is changes every 30 seconds or so. These keys are usually generate by a separate key fob or other software. Without this information the login to the account is not possible.

 

 Additional Reading

How To Geek article on Heartbleed