Monday, 21 April 2014

Heartbleed Will Linger "For Many Months to Come"


It’s been nearly two weeks since the Heartbleed bug was made public -- two weeks of massive coverage from news outlets across the globe as the security of online services used my much of the world was called into question. 
Now things are beginning to settle down. Most of the major players have announced that they’ve shored up the vulnerability that left them open to leaking sensitive data. The first arrest has been made in connection with Heartbleed, a 19-year-old London, Ont. man accused of the theft of 900 social insurance numbers from the Canada Revenue Agency’s Website, and users across the world have received a slew of “please reset your password” emails.
Heartbleed
But there’s a long way to go, and it may be awhile before one of the biggest bugs in recent memory is truly “fixed.”
“I think things are going to be lingering for many months to come, just because that’s the nature of the way patches get implemented and holes get fixed,” said Marc Gaffan, co-founder of Incapsula. “I would imagine if we did a survey three or six months from today we’d find astonishing results in terms of how many organizations have not patched [the Heartbleed OpenSSL vulnerability].”
The big players have patched things up by now, but OpenSSL is widely used, the figure most often being quoted a massive two-thirds of web servers.
“As you start moving away from that nucleus, you get more and more organizations that are less up to date, less able, less willing to patch their systems,” Gaffan said, describing the way a typical vulnerability is addressed. Heartbleed is certainly major, but that isn’t going to change the nature of the way people react.
And we haven’t even touched on the billions of users, many who may not follow through on their end due to ignorance or laziness or simply because they just don’t care. That’s exactly what Justin Balthrop argued on Medium when discussing a huge problem that’s at the core of this Heartbleed mess -- passwords:
I have 268 passwords on 268 different websites. At least that’s what my password manager says. I actually stopped saving new passwords a while back, so the real number of passwords I should change now that Heartbleed has been revealed is even higher than that. How many of those passwords do you think I’m going to change? It took me 10 minutes just to find the change password form for my bank! What about the average computer user who uses the same password for every website and doesn’t understand the details of the exploit? How many passwords will they change?

Not very many.

A Look at Heartbleed's Popularity

We thought it would be interesting to use our HackSurfer data to conduct a little sociological experiment. Which of the two major cybersecurity moments of the past five months is garnering more discussion: the Heartbleed bug or the Target breach?

Target v Heartbleed.png
As you can see, they both took up a massive chunk of the discussion, but Heartbleed is even more “popular” than Target over it’s respective period. This may reflect how far reaching the vulnerability is, which is hardly surprising given the amount of posts and articles we’ve seen here at HackSurfer regarding the bug.
“I don’t think that this has been overplayed [in the media],” Gaffan said. “Given the ubiquitousness of OpenSSL plus the potential damage that this vulnerability can create, it does create a pretty big hole out there.”

Who Left the Curtains Open?

So what is Heartbleed?
It’s a small bug that’s been in existence for the past two years and affects many websites that collect personal and financial information. That little padlock icon you see along with “https” on most browsers is meant to assure users that everything is safe. Heartbleed discovered that’s not necessarily been the case. 
Michael Hamlin, an X-Force security architect with IBM, explained the problem with Heartbleed using the typical household analogy on a recent IBM podcast.
Imagine all of your usernames, passwords and other data is written on a big stack of paper sitting on your desk.
“They’re in your house. They’re locked up. They’re secure,” Hamlin said. “We think about SSL that way. We trust the servers' encrypting our sessions, and we provide our usernames and passwords. They’re encrypted. But if a burglar walks up and looks through the window and there's a stack of papers on the desk now, it can read the first page, whatever is exposed on the top page, and that's kind of how this vulnerability works. It was like not drawing the curtains shut. It left that chunk of memory open to anybody that requested it.”
Perhaps most importantly, they discovered that private encryption keys could be stolen through the vulnerability.
As Codenomicon, the security firm that discovered the flaw (Google engineer Neel Mehta discovered it independently as well), described, “These are the crown jewels, the encryption keys themselves. Leaked secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”

What Should I Do? What Will Hackers Do?

There are three main things a website owner should do, whether they’re tiny or a huge SAAS platform, said Gaffan:
  1. Patch your infrastructure; make sure that you’ve implemented the fix to the Heartbleed vulnerability.
  2. Reissue certificates with a new private key, just in case it was stolen when the vulnerability existed.
  3. Websites that run with persistent cookies (if you’re constantly logged in to social media for example) leave users vulnerable if that cookie information is stolen; log out of all them and log back in; “Given that the vulnerability is now fixed with most of the bigger providers, that means that those credentials will be no longer snatchable.”
One problem: many smaller businesses still operate with the mentality that they’re a small target and therefore can operate without being on cybercriminals’ radar.
“What people don’t actually realize is that in this era of automation, smaller and smaller websites are being hacked today just because they’re out there on the internet,” Gaffan said. “There are scanners that are available already today that can tell you if a website is vulnerable to Heartbleed or not. If I’m a bad guy, what I would do is start scanning a couple of million websites each day and compiling a list of who I need to go after. Once I’d compiled that list, I’d build another automated tool that all it does is hit Heartbleed vulnerable servers and try to pull out usernames and passwords. That’s something that is going on all the time with other vulnerabilities.”
If you’re a user, how do you know the websites you’re visiting are safe? There’s several options. Use a tool just like criminals are: scanners. Many companies are offering the ability to check for Heartbleed (likeNorton, for example). There are dozens of apps springing up, and there’s even browser extensions that can make confirming a site is safe simple and easy.
Except, there’s one big problem with all of that. As The Guardian reported last week, researchers are claiming that most popular Heartbleed detection tools are flawed:
A deluge of tools then hit the internet promising to help people determine whether the web services they were using or hosting were affected. But 95% of the most popular ones are not reliable, according to London-based security consultancy and penetration testing firm Hut3.

“A lot of companies out there will be saying they've run the free web tool and they're fine, when they're not,” Hut3’s Edd Hardy told the Guardian. “There's absolute panic. We're getting calls late at night going 'can you test everything'.”
Unfortunately, that means you may have to make sure the tool you’re using to stay safe is providing safe and accurate results.

No comments:

Post a Comment