Friday, April 11, 2014

Heartbleed bug gives Internet users massive headache

This week Microsoft ended its support of Windows XP meaning that that up to 25% of Windows users in the world could be vulnerable to increased attacks by hackers. While serious this was nothing compared to the reports that OpenSSL, which is meant to encrypt communications between a user's computer and a web server, had bugs.

Discovery of bug

The bug was independently discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

Given the name Heartbleed by the Codenomicon team, it was deemed "a serious vulnerability in the popular OpenSSL cryptographic software library".

This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet, the team said. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs), the team added, on a special website set up following its discovery.

Catastrophic

Dubbed "the biggest security issues that's faced the Internet to date" by some commentators, others described it as even more serious. Bruce Schneier, an American cryptographer, computer security and privacy specialist, said the discovery was "catastrophic" on his blog.

The bug is not only serious in relation to security but also serves as a wake-up call to how security and passwords are handled both by users and the language of the Internet.

Users have been constantly encouraged to use both strong passwords and individual passwords for every website. Furthermore individuals are encouraged to change passwords frequently. However, even those who might have followed such advice would still have been vulnerable to the so-called Heartbleed bug since it had remained undiscovered for at least two years. This would have made it possible for any group or individual with knowledge of its existence to harvest information from users of websites where OpenSSL was employed.

NSA & espionage

In fact some have suggested that this may have been behind the NSA's supposed ability to monitor individuals' Google or Facebook accounts. Although the NSA could have used the Heartbleed vulnerability to obtain usernames and passwords, as well as so-called session cookies to access online accounts, this would have only allowed them to hijack specific accounts whose data they obtained. For the NSA and other spies, the real value in the vulnerability lies in the private keys used for SSL that it may allow attackers to obtain [Wired / EFF].

Cracking SSL to decrypt Internet traffic has long been on the NSA's wish list and according to the Guardian, in an article published in September 2013, the NSA and Britain's GCHQ had "successfully cracked" much of the online encryption Internet users rely on to secure email and other sensitive transactions and data.

Schneier is one of many who have questioned how such a major issue could have been included in the OpenSSL technology, and suggested that, within the context of the PRISM scandal, intelligence agencies may have played a part. "At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies," he said.

"The real question is whether or not someone deliberately inserted this bug into OpenSSL and has had two years of unfettered access to everything."

Some of the concerns as regards NSA snooping pre-dates the existence of Heartbleed. Nonetheless, the discovery of Heartbleed raises the issue concerning Internet security and privacy once again.

Reporting & advice

Following its discovery on Friday 4th April, Google immediately patched the gaping security hole, as did other tech companies that were made aware of it before it was finally made public on Monday 7th. Even then news leaked out slowly and with much confusion over what people should do. On Tuesday 8th April the BBC reported the vulnerability but gave no clear advice as to what users might do to remain safe online. Indeed even the BBC later reported the whole issue had brought nothing but confusion. 

Other websites were more forthright and suggested Internet users change all their passwords. Time ran with just such a headline and Tumblr, the photosharing website now owned by Yahoo, suggested users take the day off and revise their password list.

"This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Tumblr wrote on an online post.

Bad advice

Whilst such suggestions seemed good advice on the face of it, following through could have left some people even more exposed than they were already. Should a website or server not made appropriate changes and updated certificates and patches, Internet users may, by changing their password pass this on to third parties. Indeed given the vulnerability was now public there would be a far stronger chance that vulnerable websites would be targeted by hackers looking for such data.

In fact the best advice was in fact to sit back a little and wait. Users were correctly advised by some news outlets to check to see whether a website was vulnerable, and whether it had carried out the necessary updates. Only then should users change passwords.

The Heartbleed website itself helped by providing a tool in order to identify affected sites.

Other independent technology websites helped out by providing lists of affected sites and others which were not. Mashable provided a useful list and some advice alongside, while Github also published an extensive list of vulnerable websites [as of 8th April]. Mainstream media reports were however scant on detail. For example ABC cited only a handful of well known tech companies such as Google, Facebook and Yahoo.

The general advice now was that people should change passwords, with the caveat that the site be checked to see that it had patched the security holes. On Wednesday 8th April the BBC reported that both "tech firms" and "security advisors" were urging people to change all their passwords, advice that was repeated on other news outlets throughout the week [Daily Mail].

But other reports in other media suggested the opposite. On the same day the Guardian wrote that "security experts" were warning people not to update passwords.

Confused reports

But what of the tech firms, banks and websites themselves? It appeared they were just as clueless, confused or simply remained silent over the whole issue.

Few sent emails or posted messages on their websites concerning the bug and as to what their users might do.

Indeed given the possibility that even banks might have been affected there might well have been a sense of panic from many uses of online banking systems. Yet banks were either evasive or non committal.

When contacted by the Daily Mail on the 9th April many of Britain's major banks would not comment on whether passwords should be changed. The HSBC said they were 'monitoring' the situation and a Lloyds spokesman said they would not comment on security issues.

Yet in an article published in the Daily Mirror it reported that Lloyds, NatWest and the Royal Bank of Scotland had said their websites were not vulnerable to attack. On the other side of the Atlantic there was just as much confusion. CBC reported that banks weren't at risk but CNN said they could not verify whether American Express and a number of other financial companies were vulnerable. By Thursday the Telegraph provided some clarification in its list which showed UK banks were unaffected

Meanwhile no major banking organisation made any public statement to their users through their websites, email or letter.

In truth, even if vulnerable to the OpenSSL bug most banks have a second layer of security such as the use of special USB sticks, electronic keypads or interfaces within pages which evade keylogging viruses. Nonetheless the absence of information has left some people who use the Internet confused and worried.

Outside of banking there are things that may also have helped prevent third parties accessing data such as 2-step-verification as used by Google and others. Essentially this requires a mobile phone to which special codes are sent in order to log-in at an unfamiliar location or computer.

No-one safe

Such methods can certainly help to protect users but as Reuters reported on Wednesday there is little most people can do to protect themselves from such bugs.

With OpenSSL used on about two-thirds of all web servers there is much patching to be done. To look at it another way it affects more than 60% of the world's websites and some half a million servers. This will be difficult for the millions of websites and companies involved [PCWorld]. In the meantime hackers will be attempting to exploit the remaining open holes.

And with the cat out of the bag, and with many sites still unpatched it is open season for hackers and phishers. Kurt Baumgartner, a researcher with security software maker Kaspersky Lab, told Reuters his firm uncovered evidence Monday that a few hacking groups believed to be involved in state-sponsored cyber espionage were running scans shortly after news of the bug first surfaced on Monday.

By Tuesday, Kaspersky had identified scans coming from "tens" of actors, and the number increased on Wednesday after Rapid7 released a free tool for conducting such scans. "The problem is insidious," Baumgartner said. "Now it is amateur hour. Everybody is doing it."

The risks go further with Kaspersky Lab's Baumgartner saying that devices besides servers could be vulnerable to attacks because they run software programs with vulnerable OpenSSL code built into them.

Others affected

They include versions of Cisco Systems Inc's AnyConnect for iOS and Desktop Collaboration, Tor, OpenVPN and Viscosity from Spark Labs. The developers of those programs should have either updated their software or published directions for users on how to mitigate potential attacks.

Indeed many have already addressed the issue though many users of such services did not get an update emailed to them [VPNspblog]. Instead updates were often posted on social media such as one by 12VPN on Twitter which stated that their webservers were patched and their VPN methods were not affected. As such many users may well have missed this important message.

Problems were further compounded when Cisco and Juniper revealed their server equipment was also affected by Heartbleed [WSJ]. And while the average user of Facebook of Google changed their passwords, the issues surrounding Cisco and Juniper equipment could be time consuming. According to Jaime Blasco, director of AlienVault Labs, part of AlienVault LLC, it will take longer to fix networking equipment and software because Cisco and Juniper will have to rely on customers applying the patches they push out. "It's more painful to update these kinds of devices," Blasco said. "You have to go one by one." [Business Week]

Juniper and Cisco equipment is widely used around the world including China where it has been employed in the so-called Great Firewall of China. It is unclear if China's censorship machine was or will be affected, but websites across China were in just as much as a panic as the rest of the world to patch up the security holes.

Hackers exploit bug

On Thursday both Xinhua and the People's Daily reported that major websites were "taking steps" to mitigate problems. The People's Daily also said there were signs that some hackers had already taken advantage of the flaw, but did not elaborate further. And according to Wang Minghua with the National Computer Network Emergency Response Technical Team Coordination Center, "a surge in such attacks could be expected soon". The US have also issued warnings saying hackers are already exploiting the bug [BBC]. 

All this was surely enough to give anyone potentially affected by Heartbleed a severe headache. The damage may turn out to be small, but as the Guardian this week discussed, there is a risk such flaws could reoccur in the future. With programmer Robin Seggelmann, who wrote the code for the part of OpenSSL that led to Heartbleed, saying it was an accident, the risk of a human error recurring is a sure bet [Mashable].

tvnewswatch, London, UK

No comments: