A Gaping Hole in Internet Security?

Category: Security

Yet another security hole in a widely-used Internet protocol has been discovered, prompting headlines about dire things that could have happened, may have happened, and might be happening to you this very instant. Here's what you need to know about the Heartbleed exploit...

What is Heartbleed?

The software flaw dubbed Heartbleed, which was discovered on Monday, April 7th, is a hole in OpenSSL, an open-source implementation of the SSL security protocol used to encrypt Internet connections. A new version of OpenSSL introduced in December, 2011, contained a programming flaw that has persisted to this date.

That software flaw, which security researchers are calling “Heartbleed,” allows an attacker to read the memory of an unpatched server that is running OpenSSL, exposing critical data such as the server’s master password and unencrypted portions of users’ communications, such as users’ passwords and session cookies.

The data that can be collected through this hole could be used to steal a user’s identity. An attacker could even gain full control of the web server and access to everything that passes through it. It’s a big hole, a very serious problem, and system administrators who use OpenSSL are rushing to patch it.
Heartbleed security flaw

How bad is it? A staffer from Tumblr, a popular blogging site, was quoted in the NY Times as saying: “This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit.”

To be clear, the implications of a security flaw such as this are astonishing. But personally, I don’t believe anything significant has happened or will happen.

I think we're lucky that the "good guys" discovered this bug and most websites were already fixed before the news about it spread far and wide.

Is There Anything You Should Do?

Out of an abundance of caution, I recommend changing the passwords for all your online accounts. If you receive notice from any site you know saying that it has patched OpenSSL and you should change your password, do it. Even if you don’t receive any notice, change your password on any site that requires a password to login.

Check out my advice on how to pick a really good password. See Is Your Password Strong Enough?

There have been reports that two thirds of all websites might have been affected by the Heartbleed problem. But in fact, only 17 percent of secured Web sites are using OpenSSL in a way that exposes them to this Heartbleed vulnerability, according to Netcraft. That’s still half a million of the most popular destinations on the Web.

I want to emphasize that there have been no reports of security breaches attributable to Heartbleed. That doesn’t stop some from spreading Fear, Uncertainty, and Doubt. They argue that because the Heartbleed exploit leaves no trace, and so we just don’t know how many people may have been victimized. Therefore, it must be a lot of people, right?

But we WOULD know; the word “victim” implies that something noticeably bad has happened to you. Criminal investigations follow crimes, and if security researchers can find Heartbleed when they weren’t looking for it, then it’s likely that it would have been found during a forensic investigation. So I think it’s more likely than not that hackers have made little (if any) use of Heartbleed.

This is not the first major security hole found in OpenSSL. In 2006, a flawed version of OpenSSL was included in the Debian distribution of Linux. It was reported in 2008, so (like Heartbleed) it was potentially available to hackers for two years. There were no massive cyber-crime waves then, either.

About half a dozen times each year, I hear about a live hand grenade or artillery shell that is discovered in someone’s basement after lying there unnoticed since WW II. I’ve never seen a story about a neighborhood devastated by the explosion of such a thing. Yes, the thought that it could have happened is uncomfortable; but it didn’t happen.

Unless you run a web server which is vulnerable to this flaw, there's nothing you can do to protect against the possibility of an exploit. No anti-virus, firewall or encryption software on your computer will make a difference, because the problem is not on your end.

But it IS a good idea to change your passwords regularly. Maybe this is the excuse you need to get that task done. Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 9 Apr 2014


For Fun: Buy Bob a Snickers.

Prev Article:
Are Social Networks Committing Suicide?

The Top Twenty
Next Article:
Geekly Update - 10 April 2014

Most recent comments on "A Gaping Hole in Internet Security?"

Posted by:

Jack Loza
09 Apr 2014

Bob, Changing passwords on servers that haven't been patched probably doesn't help much, right? Supposedly, you can check the server with this to see if the fix has been done: http://filippo.io/Heartbleed/#google.com. Just enter the URL for the server and get a report.


Posted by:

Carole
09 Apr 2014

After reading the article you wrote about Heartbleed software, I wonder if Microsoft sent out updates to XP computers today because of this information was just discovered?

EDITOR'S NOTE: Nothing you can do on your home computer will have any impact, except maybe for changing your online passwords. This is a web server issue.


Posted by:

bernard
09 Apr 2014

have u noticed the increase in yahoo email accounts that were hacked recently, some over and over ... i'm wondering if it was related to this exploit..
otherwise how do they crack those passwords with all the captcha security on the yahoo email site???


Posted by:

Vince Bray
09 Apr 2014

Bob is the most sane perspective I have encountered for these kinds of issues, and is very real world. I appreciate that when so many play chicken little when it comes to security holes, in order to scare you into buying something.

As it happens I saw this yesterday in the Chicago Trib about 2 kids who brought some VERY DANGEROUS souvenirs home from England. Its very apropos. I would not advise trying what these kids did, it really is dangerous, but no one died, no one was injured, and the same is probably true of this latest vulnerability.

http://www.chicagotribune.com/news/local/breaking/chi-feds-confiscate-wwi-artillery-shells-at-ohare-from-teens-who-called-them-souvenirs-20140408,0,199829.story


Posted by:

David
09 Apr 2014

An entire neighborhood was not devastated, but in 1972 in Hattiesburg, MS, a man was blown into little pieces after tinkering with such an artillery shell in his backyard. It does happen.


Posted by:

Ralph C.
09 Apr 2014

Bob, apparently the CRA, Canada Revenue Agency our income tax collector akin to your IRS, was affected, and they have shut down their servers today preventing on line submission of personal and business income tax forms. Our deadline in Canada is April 30th, and they have indicated that they will extend the deadline by as many days as it takes to secure their servers. They also said that private data was probably vulnerable and have instructed all who use the service to change their passwords as soon as the servers are back on line. Apparently 65% of Canadians file on line so this is a serious problem for them.


Posted by:

Peter Ballantyne
09 Apr 2014

Thank you yet again Bob. Every time something like this comes up us everyday users can so easily be caught up in the FUD. Yours is, once again, the voice of common sense and reason. The more I read your column the more I find I am trusting you. Not that anyone is infallible of course, but you have really become my most frequent go to source for the true picture. Grateful thanks again.


Posted by:

Michael Brinton
09 Apr 2014

Download Start Page,a Privacy Browser,it works with Google. Prevents this nasty,from getting access.

EDITOR'S NOTE: Once again, nothing you can do on your end will matter. It's a server problem, and only the webmaster or system admin can fix it.


Posted by:

Ron B
09 Apr 2014

Bob, there was a bulldozer driver killed in Germany in January and 7 killed in Thailand last week by exploding WW2 bombs


Posted by:

Dave Ruedeman
10 Apr 2014

If you want to test your site for this vulnerability here is a link:
http://filippo.io/Heartbleed/


Posted by:

Marc de Piolenc
10 Apr 2014

I've never used SSL as a vendor because it addresses a non-problem, namely theft of data in transit. All the compromises of credit card and other customer information on record have occurred while that data was sitting on an Internet-connected machine, not while it was being transmitted. This is just one more reason not to use SSL.


Posted by:

R. Kalish
10 Apr 2014

In your article about Heartbleed you mentioned that you never heard of an old ordinance actually causing harm. In fact, however, it has happened on several occaisions, see "Around the World" at http://en.wikipedia.org/wiki/Unexploded_ordnance .


Posted by:

yaz
10 Apr 2014

HI BO ACCORDING TO WHAT I KNOW EVERY TIME YOU CHANGE YOUR PASSWORD THEY WILL KNOW ABOUT THE CHANGE AND USE YOUR CHANGED PASSWORD TO GET INTO YOUR ACCOUNT AS YOU SAID RIGHTLY THAT THE PROBLEM IS WITH THE
WEBSITE SERVER AND NOTHING YOU OR I CAN DO WILL MAKE NOT ONE BIT OF DIFFERENCE ONLY THE SERVER HAS TO FIND A PATCH AND FIX IT AND AS YOU SAY THAT THE FLAW WAS KNOWN SINCE 2011
AND YET NOBODY HAS YET FOUND A PATCH FOR IT AS OF TODAY AS FAR AS I KNOW IF YOU KNOW OF ANY COMPANY OR WEBSITE HAS FOUND A PATCH FOR IT PLEASE LET US ALL KNOW, , AS OF TODAY
REVUHE CANADA HAS SHUT DOWN ITS WEBSITE
SO NOBODY CAN EFILE OR NETFILE AS OF RIGHT NOW AND IF THE GOVERMENT OF CANADA KNOWING OF THE PROBLEM DID NOT FIND A SOLUTION AND LET US KNOW ONLY TODAY THAT SURE SPEAKS VOLUMES BYE FOR NOW

EDITOR'S NOTE: Yes, a fix has been available since Monday. Anyone who administers a web server will know where to find the fix and how to apply it. Details here: https://www.openssl.org/news/secadv_20140407.txt


Posted by:

Daniel
10 Apr 2014

I looked at the Netcraft site you included above and tested several sites that I use. Netcraft indicated several of the "popular sites" that use the affected TLS extension including Yahoo, Twitter, etc. They didn't mention the biggest (and therefore MOST popular) email site GMail. But when I tested with their tool, GMail uses the TLS extension. This just seems odd to me. Am I just being overly suspicious?

EDITOR'S NOTE: I don't see the connection. Google posted on Wednesday morning that Gmail and other Google services were already patched.


Posted by:

JMJ
12 Apr 2014

Well... There ARE WW2 bombs that DO explode:
http://www.dailymail.co.uk/news/article-2533304/German-construction-worker-killed-unexploded-World-War-Two-bomb-dug-trench-Digger-driver-dies-instantly-explosion-near-Bonn.html
and
http://edition.cnn.com/2014/04/03/world/asia/bangkok-world-war-2-bomb/

Kind regards and thank you for your fearless driving of the regretted Tourbus ;-)


Posted by:

Ihor
14 Apr 2014

Here's a really neat cartoon that describes how Heartbleed "works":

http://xkcd.com/1354/

Read the contents of each cartoon "bubble" carefully, especially the last panel. As I understand it, the bubble represents server memory and the Heartbleed bug tricks the server in displaying more memory contents than should be allowed (kind of a memory overflow).

The author of the xkcd site, Randall Munroe, is a physics graduate from CNU (Virginia) and has worked for NASA in robotics.


Posted by:

RandiO
19 Apr 2014

The word "heartbleed" is a pun based on the word "heartbeat" which is like a software stay alive command.
Little bit of perspective for the record books:
According to many newspapers and news agencies , Dr. Robin Seggelmann, a German software developer, is the one who unknowingly allowed this to happen, making what’s been dubbed as a rookie’s mistake. The bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said.
"In one of the new features, unfortunately, I missed validating a variable containing a length."
After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Dr. Seggelmann said, "so the error made its way from the development branch into the released version."
Dr. Seggelmann said the error he introduced was "quite trivial", but acknowledged that its impact was "severe".

You could blame Dr. Seggelmann , but he did this work for free, and for the open source community. You might assign blame to the whole OpenSSL organization, and the whole open source community. You can blame all the tech giants for missing this bug for so long, but it’s too late and blaming anyone will not help.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- A Gaping Hole in Internet Security? (Posted: 9 Apr 2014)
Source: http://askbobrankin.com/a_gaping_hole_in_internet_security.html
Copyright © 2005 - Bob Rankin - All Rights Reserved