The Heartbleed Bug – A Primer

 
 

Making headlines since it became public on April 8, the Heartbleed bug is a major security problem that affected half a million servers and 66% of the Internet. Just what is it and why does it matter so much?

Why all the fuss?

Heartbleed is a bug in software used by web servers to handle secure communications which went undiscovered for two years. Personal information and the transactions of anyone accessing these servers could have been open to spying and eavesdropping. This covers websites, email, Instant Messaging (IM), and in some cases, Virtual Private Networks (VPN). Hackers taking advantage of this fault would potentially have access to your username, password, messages and any online documents.

Where it began

The Heartbeat Extension provides a way to test and keep alive secure network communications without the need to renegotiate the connection each time. It is a proposed global standard, published in February 2012.

In 2011, the Heartbeat Extension was added to OpenSSL. OpenSSL is a project founded in 1998 to invent a free set of encryption tools for the code used on the Internet. Nowadays OpenSLL is a part of the Linux-based systems used to run millions of web servers around the world.

How it works

How the Heartbleed Bug Works (xkcd.com)

How the Heartbleed Bug Works (xkcd.com)

This cartoon by xkcd explains the problem in a brilliantly simple fashion.

In computer science, a heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a system. Usually a heartbeat is sent between machines at a regular interval of the order of seconds.

OpenSSL’s Heartbeat Extension contained a memory handling bug that could be used to reveal up to 64 kilobytes of the application’s memory with every heartbeat. By reading the memory of the web server, attackers could access sensitive data, including the server’s private key. This could then enable them to decode earlier eavesdropped communications and launch a ‘man-in-the-middle’ attack against any future communications. The vulnerability might also reveal unencrypted parts of other users’ transactions, including passwords, which could allow hackers to assume the identity of another user of the same service.

Discovery, publicity

Neel Mehta, a member of Google’s security team first officially reported the problem on April 1, 2014.

Finnish IT security firm Codenomicon reported the bug independently of Google on April 3, 2014, naming it ‘Heartbleed’ and creating the eye-catching logo and a polished website in order to publicize the bug.

For a detailed breakdown of events see the Sydney Morning Herald’s “Heartbleed disclosure timeline: who knew what and when”.

Codenomicon’s ‘branding’ of Heartbleed was a major factor in its gaining huge media exposure, and in turn, public awareness over such a short period of time. An interesting side story, providing insight into how tech and marketing skills converged to help raise awareness of a major IT security problem.

Just how bad is it?

During the first days of panic in early April, it was estimated that half a million servers were running vulnerable versions of OpenSSL, accounting for around 66% of the entire Internet.

Some proclaimed the bug one of the worst security catastrophes in the history of the web.

With knowledge of the bug and the means to exploit it out in the open, it was only a matter of time before hackers began trying their hand attacking secure web services.

Who is at risk?

Some of the biggest players in the web were initially vulnerable – Google, Facebook, Yahoo, Amazon Web Services, Dropbox, YouTube, Pinterest, Tumblr… the list goes on.

Interestingly, services not affected from the start include those run by Microsoft, Apple, Amazon stores, eBay and LinkedIn, none of which use OpenSSL.

Mobile apps may also be at risk, in scenarios where in-app purchases connect to a vulnerable server, for example.

Restricted not only to servers, Heartbleed can be a client-side vulnerability, meaning that a malicious server could read data from the memory of a device if it uses OpenSSL. Google has confirmed that around 50 million devices running Android version 4.1.1 (Jelly Bean) are at risk, a fault which remains unpatched at time of writing.

The bug was also found and later patched in wireless routers such as Apple’s AirPort base stations, Cisco and Juniper enterprise equipment and numerous VMWare products.

Change passwords

The first security measure the average user can take is to change their passwords for all the secure web services they use. Time magazine put together a handy list of all the passwords you should be changing.

Stuck for ideas? Refer to our earlier bulletin for advice on creating a strong password.

Fixed it!

A patch that fixed the Heartbleed bug was completed by Google on March 21, prior to its reporting, and released by the OpenSSL Project on April 7.

Major Linux distributions used on servers were quickly updated with fixes for Heartbleed, including Red Hat Enterprise Linux (RHEL) and its derivates such as CentOS, and Debian and its derivates like Ubuntu.

The ensuing worldwide rush to fix Heartbleed is said to have slowed down browsing speeds on the web.

All the major web services listed above are now no longer at risk. Due to the scale of the scare, by April 17, every one of the world’s top 1,000 websites had been patched.

For reference, Mashable is maintaining a huge list of affected and unaffected services.

You can also go to this handy website to check if the services you use are still vulnerable to Heartbleed.

Questioning open source

The existence of Heartbleed adds fuel to the neverending debate about open source versus proprietary software. Shouldn’t many eyes on the code make for less errors? How did the vulnerability lay dormant for two years?

Robin Seggelmann, the programmer whose code in OpenSSL was responsible for the bug, puts it down to good old human error.

For more thoughts on these issues see Datamotion’s “Does Heartbleed Disprove ‘Open Source is Safer’?”

Known hacks

The following attacks have made use of Heartbleed to infiltrate internet services –

Positive outcomes

As a direct result of Heartbleed, a roster of IT giants including IBM, Intel, Microsoft, Google and Facebook has pledged millions of dollars to the research and development of OpenSSL and other open source software.

In a separate endeavor, LibreSSL, a new fork of OpenSSL, has been created to produce an improved, cleaner version of the software.

About us

METHOD IT is a boutique IT solutions provider servicing international businesses in the Asia-Pacific region from our offices in Hong Kong and Tokyo. We excel in assuring that companies of all sizes stay on top of their IT.

If you have any concerns regarding the set up or maintenance of your organization’s IT, we offer comprehensive IT Management solutions including audits and security checks, and Admin & Support solutions with a range of support packages for everyone from small startups to large enterprises. Find out more about us or contact us now for a free quote.