Heartbleed: the bug that put the internet on high alert

Seven weeks after the bug put the web on high alert, Heartbleed is still causing problems. A new report from Portuguese security researcher Luis Grangeia describes how the same bug could be used over Wi-Fi to enable new kinds of attacks that build on the same vulnerability.

It’s still unclear how many devices are vulnerable, but the damage is likely to be much more contained than Heartbleed. The most vulnerable targets are EAP-based routers that require both an individual login and a password — a solution often found in wireless LANs. In those cases, an attacker could use Heartbleed to pull a private key from the router or authentication server, effectively bypassing any security measures. Grangeia says he hasn’t done enough testing to estimate how many of those routers are running vulnerable configurations. More importantly, the attack could only target devices within Wi-Fi range, seriously limiting the potential targets. “This particular variant of the attack might be slower to close,” Grangeia says, “But it should not be nearly as widespread as the original bug, since the universe of vulnerable devices is lower.”

One month after the critical Heartbleed vulnerability was first revealed, there are still more than 300,000 servers vulnerable to the bug, according to security researcher Robert David Graham. Graham arrived at the number through a global internet scan, which found a full 1.5 million servers that still support the “heartbeat” feature of OpenSSL that allowed the bug, and exactly 318,239 systems that are still vulnerable. The number counts only confirmed cases and there may well be other systems that escaped Graham’s accounting, either because of spam blocking or unorthodox OpenSSL setups.

It’s a troubling number, given how available Heartbleed fixes are and how damaging the bug can be once exploited. Now that the bug has been revealed, it’s also a fairly simple attack to carry out. Major services like Google patched their servers almost immediately, but this scan suggests that bad actors could still do plenty of damage against smaller and less technically adept services. Once a vulnerable server is located, an attacker could use Heartbleed to steal private keys, eavesdrop on passwords in transit, or hijack a session entirely.

OpenSSL is a key security backbone for untold thousands of websites to make sure strangers can’t see what you’re doing. But as the Heartbleed bug has revealed, this essential tool is in dire need of support; the hodgepodge team in charge of upkeep for the open source protocol is severely understaffed and underpaid. Buzzfeed has published a wonderful feature story on the two men who have been primarily responsible for OpenSSL for more than a decade, and it provides a look into just how a simple flaw like Heartbleed could have made it into the code. Thankfully, if one good thing has come out of this massive security breach, it’s that OpenSSL may get some of the attention that it needs — there are already efforts to secure more funding for the project, and BuzzFeed reports that the team plans on bringing in a second full-time developer soon.

The sudden chaos of the Heartbleed bug drove home just how much of the web relies on OpenSSL software, and just how little was being spent to maintain it. But in the aftermath, some of the biggest players in tech are coming together to change that, and hopefully spot the next Heartbleed before it can wreak quite as much havoc.

The new project is called the Core Infrastructure Initiative, formed by the Linux Foundation and devoted to plowing money into the critical software infrastructure that needs it. Executive director Jim Zemlin says that after Heartbleed, it was clear something needed to change. “After we’re done updating our software and swapping our certificates, what can we learn? What can be done differently,” he says. “Obviously, in retrospect, I wish we had done this a long time ago.”

The officials are requesting that Healthcare.gov users reset their passwords after a continuing internal review by the Department of Homeland security flagged the site as possibly being vulnerable to a Heartbleed exploit. The move to reset passwords is being taken “out of an abundance of caution,” according to a a notice published on the site, which serves as a portal for the health insurance exchanges set up under Obamacare. In addition, the note says that “there’s no indication” that any information was revealed through Heartbleed.

Critics of the Affordable Care Act may seize the opportunity to attack the much-maligned Healthcare.gov website, which was plagued by bugs during its launch last year. Those site issues have since been fixed, and the Obama administration recently announced that 8 million Americans have signed up for health insurance through the exchanges. Healthcare.gov is only one of many US government sites that use OpenSSL, the encryption protocol that lay vulnerable to attacks for the past two years via a bug known as Heartbleed. The Department of Homeland security is still leading a review of government sites, and the Associated Press reports that others, like the White House’s petition website, may have mandatory password resets as well. Untold thousands of non-government sites have been affected by the bug, and many high-profile sites have similarly requested that their users change their passwords.

Canadian officials say they’ve tracked down the man responsible for the last week’s Heartbleed-assisted breach at the Canadian Revenue Agency, which compromised the personal data of more than 900 citizens. According to The Calgary Herald, 19-year-old Stephen Arthuro Solis-Reyes from London, Ontario has been officially charged with the attack after five days of investigation. The official charges are “unauthorized use of a computer” and “mischief in relation to data.”

The attack took place on Friday, after the Heartbleed bug was made public, but before the CRA was able to patch their servers to protect against it. As a result, attackers were able to pull random snippets of data from the server’s working memory, which in the CRA’s case, included sensitive financial information. The service shut down as a result, although the details of the breach were not made public until earlier this week. The government says it is still in the process of notifying all the Canadian citizens affected by the breach.

Canada’s taxpayers may be the first victims of the Heartbleed bug that put the web on high alert last week. According to the Canada Revenue Agency, 900 social insurance numbers (SINs) were stolen by hackers exploiting the security vulnerability. Even on a small scale, the breach is tantamount to identity theft, and is a situation the CRA had worked hard to avoid.

In an official statement issued this morning, the CRA said that it removed public access to its online services when news broke about Heartbleed last week, and worked “around the clock” to patch the bug. However, the taxpayer info was still stolen in a brief six-hour period. “We are currently going through the painstaking process of analyzing other fragments of data,” said the agency, “some that may relate to businesses, that were also removed.”

This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared. In two weeks of testing, Cloudflare said, its researchers failed to exploit the bug to steal a website’s private SSL keys, which secures the data sent to users. It issued a challenge to white-hat hackers to successfully retrieve the private security keys — and unfortunately for the web, one of them succeeded.

The hacker, Node.js team member Fedor Indutny, claimed on Twitter that he’d tracked down the SSL keys.

At the presentation ceremony for Long Island University’s prestigious George Polk Awards in journalism, reporters were recognized for some of the biggest stories of the past year: the NFL’s indifference to concussions, the deliberate attempts by New Jersey governor Chris Christie’s office to create traffic jams, former Virginia governor Robert McConnell’s acceptance of illegal gifts. But one of the most dramatic moments was a series of text messages signaling the arrival of two journalists who helped reveal the large and hidden web of NSA surveillance: documentarian Laura Poitras and reporter Glenn Greenwald.

The presentation of the Polk Award for national security reporting, which Poitras and Greenwald accepted alongside The Guardian’s Ewen MacAskill and The Washington Post’s Barton Gellman, marked the pair’s first visit to the United States since the initial leaks from Edward Snowden were published nearly a year ago. Immediately after the leaks, Rep. Peter King (R-NY) called for Greenwald’s arrest and prosecution, and Director of National Intelligence James Clapper obliquely referred to journalists who helped Snowden as “accomplices” during a Senate hearing in January. But the mood has calmed, and Greenwald now views the practical risk of returning as low, he told reporters in a press conference after the awards luncheon. Despite this, he says officials “deliberately created an environment where they wanted us to think there was a risk,” refusing to tell Greenwald’s lawyers whether he might be indicted.

Bloomberg is reporting that the Heartbleed bug, which shocked the web security community this week, has been known and actively exploited by the National Security Agency for at least two years. According to two anonymous sources familiar with the matter, the bug was kept secret in the interest of national security, while the agency used it to obtain passwords and other data. Since the bug was first committed in 2012, the report suggests the NSA discovered the bug and maintained access for nearly the entire lifespan of Heartbleed.

The vulnerability could have been used to attack many services that were patched before the initial leak, including Gmail and Amazon Web Services, since their protection against Heartbleed only dates back to last week. That would give the NSA access to as many as two-thirds of the encrypted servers on the web. The report also indicates that Heartbleed is far from an anomaly. One source estimates that the NSA has thousands of similar vulnerabilities on file, and the agency has persistently defended their importance in intelligence gathering.

After this week’s massive Heartbleed bug, one of the biggest concerns was that the bug might leak a website’s private SSL keys, the key to the green lock that secures data sent to users. It’s especially dangerous because, if an attacker did access the keys, they could be used even after the server was patched, allowing attacks months or even years in the future.

But today, the content distribution network CloudFlare has announced Heartbleed may not allow access to those private keys after all. In two weeks of testing, the company has been unable to successfully access private keys with Heartbleed, suggesting the attack may not be possible at all. “If it is possible, it is at a minimum very hard,” researcher Nick Sullivan writes. “And we have reason to believe... that it may in fact be impossible.” If true, it makes Heartbleed much less dangerous than many had feared, offering a saving grace for compromised sites. Sullivan acknowledged that, in security tests, some private keys had been revealed by first requests to Apache servers, but he linked this to the process of restarting the server, which would severely limit the exposure to outside actors. Methods have also surfaced to help services tell if attackers have hit their servers using the bug. “Heartbleed still is extremely dangerous,” says CEO Matthew Prince, “but some of the worst fears about it having been used by organizations like the NSA to hoover up everyone’s private SSL keys look pretty unlikely to us based on this testing.”

When word of the Heartbleed bug first came out, news spread like a fire alarm — but it didn’t spread evenly. The vulnerability was spread across as many as two out of every three servers, which made a standard disclosure impossible. Some companies like Facebook got the news early, either from Google or OpenSSL itself, and were already patched when Monday’s news broke. Others, like Amazon and Yahoo, were left scrambling to protect themselves. But why did some companies have advanced warning while others got left in the cold? How did Facebook find out while Yahoo was left out of the loop?

From a certain angle, it seems like picking favorites — so much so that the FTC issued a statement this morning “making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.” But there’s a complicated etiquette for sharing this information within the industry, generally known as “responsible disclosure.” The idea is to share bugs with service providers before the exploits become public knowledge, which means separating out the good guys from the bad guys. In a perfect world, you’d let all the good guys know before a single bad guy had a chance to attack. But like any secret, every new insider increased the risk that the news would leak. The worst case scenario was Heartbleed leaking out to a black-hat forum, where the news would spread to attackers first. At a certain point, researchers inevitably decide the risk of a leak is too great and they have no choice but to publish the leak in advance.

The “Heartbleed” flaw that has turned internet security upside down was added to the open-source OpenSSL protocol on New Year’s Eve 2011, experts now believe. It was entered by one man — German software developer Robin Seggelmann — and a subsequent review failed to pick up on the catastrophic coding error Seggelmann had made. “In one of the new features, unfortunately, I missed validating a variable containing a length,” he told the Sydney Morning Herald. By now you’re likely well familiar with the damage that’s resulted from what he described as a “trivial” error.

Some have accused Seggelmann of intentionally adding the major security hole to OpenSSL, charges that he vigorously denies. After all, the reason he was working on OpenSSL that night was to contribute bug fixes and improvements to the project. “It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. But Seggelmann acknowledges that the mistake has led to “severe” consequences.

Monday afternoon, the IT world got a very nasty wakeup call, an emergency security advisory from the OpenSSL project warning about an open bug called “Heartbleed.” The bug could be used to pull a chunk of working memory from any server running their current software. There was an emergency patch, but until it was installed, tens of millions of servers were exposed. Anyone running a server was suddenly in crisis mode.

If the “Heartbleed” name sounds dramatic, this bug seems to live up to the hype. It’s already far worse than the GoToFail bug that embarrassed Apple earlier this year, both by the scale of computers affected and the depth of the breach. The new bug would let attackers pull the private keys to the server, letting attackers listen in on data traffic and potentially masquerade as the server. Even worse, it’s old: the bug dates back two years, and it’s still unclear how long anyone’s known about it.