Greetings and Thanks for Visiting.

Tuesday, April 8, 2014

Heartbleed Bug and The Day the Internet Shat Its Pants


If you have yet to hear or read about the Heartbleed bug, you probably will soon. And no, it has nothing to do with your health. Well!—not medically, anyways.

[Photo Source: Codemonicon]
As the news of this recent web security bug makes the rounds on television, news sites, and social media, it will be tempting to shutout all the doomsayers and the techno-babble. Unfortunately, we don't have that luxury. It does not help that all the tech talk can be confusing, especially for the less than tech savvy Joe Schmos such as myself.

The doom and gloom brigade, however, can justly say that this has the potential to bring internet security to its knees as internet commerce and online banking, in addition to popular social media sites, are vulnerable to attacks. Worst still, the solution is not as simple as changing your password.


So, what happened anyways?

The discovery of a widespread security bug affecting sites running SSL encryption was announced on Monday, 07 April 2014.  Dubbed the Heartbleed bug, the vulnerability was discovered by software security firm Codenomicon and by Neel Metha at Google Security, and is "located in the implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension [1]" of the popular open source OpenSSL cryptographic library.

According to LastPass.com, the bug "causes a vulnerability in the OpenSSL cryptographic library, which is used by roughly two-thirds of all websites on the Internet." 


So, what does this mean?

We are all affected by this revelation. Some half a million popular, well trusted websites have been deemed vulnerable; and, as of 16:00 UTC 08 April 2014, includes Yahoo [2][3][4], BarclaysCardUs.com [2], and Nasa [5]. (Yes! Some of our favorite porn sites are affected, too.)



According to Codenomicon's Heartbleed.com website, the vulnerability:
…allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

The Heartbleed FAQ section states that sites using OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are affected by the bug, which "was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012."

Version 1.0.1g, which was released on 07 April 2014, fixes the bug.  The website lists OpenSSL 1.0.0 and 0.9.8 branches as "NOT vulnerable."

Not all sites are affected, of course. Many websites do not use SSL. Many others use updated versions of SSL or have since updated their encryptions. You may have even notice site outages throughout the day as everyone continues to scramble to fix their websites. In fact, several websites have already completed their upgrades.

Jamieson Becker has this to say on Twitter:


So, what can you do to protect yourselves?

Mashable lists the following three things you can do to protect yourself:
  • Wait for an official announcement from any secure website or service that you normally use regarding a security update.
  • After you've confirmed that the site or service has installed a security update, change your passwords.
  • For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity.
LastPass.com provides a Heartbleed Checker. Enter the URL for your website or for the website you frequent and it will check the vulnerability of the site's SSL certificate.

Github.com provides several running lists of websites and their vulnerability statuses. The two lists I cited about were complied by users Donnie Berkholz (dberkholz) and Mustafa Al-Bassam (masualbas). Al-Bassam's list also includes a listing of site that are not vulnerable.

Stay tuned to your news feeds as this is still a developing story. Also, be on the look out for announcements from the secure websites you use. They will be letting everyone know when their SSL encryptions have been updated.

Most importantly, visit Heartbleed.com and read up on the issue. The FAQ can be somewhat heavy at times with the technobabble but, overall, it is a pretty comprehensive resource. Remember: knowing is half the battle.