Heartbleed: the biggest unknown is if hackers have even exploited it yet

11 Apr 2014

The internet is in uproar over the revelations about a vulnerability in the OpenSSL code and it is believed 17pc of the internet may be compromised. But this vulnerability has existed for two years – if hackers weren’t aware of it they are now, warn the experts.

Earlier this week, a team of researchers found a massive flaw in OpenSSL, an online encryption program used by thousands of websites worldwide that can be manipulated to send the content of a computer’s random access memory (RAM).

OpenSSL is used on public-facing websites such as Gmail, Facebook and PayPal, and it is believed that up to 17pc of the internet could be vulnerable to the bug.

Apple has said its network services, such as iCloud and iTunes, are safe from attack, while Yahoo! has instructed all users to change their passwords to alleviate any chance of their systems being attacked or accessed by hackers.

Ireland’s tax authority, the Revenue Commissioners, has confirmed its public-facing and internal systems have been checked and are safe from the Heartbleed bug vulnerability.

While it is unclear if other Irish Government departments and State bodies have checked their systems, in Canada, the country’s CIO ordered that federal departments using software vulnerable to the so-called Heartbleed bug to immediately disable public websites.

So what is the size of the problem?

We spoke to two of Ireland’s foremost IT security experts – Brian Honan of BH Consulting and Europol and Dermot Williams of Threatscape – to get perspective on how big the problem really is and what individuals and organisations should be doing to protect themselves.

“The Heartbleed debacle highlights that all software contains security vulnerabilities, whether that software is Open Source or commercial software,” explains Honan.

“It also exposes the myth that Open Source Software is inherently more secure because there are thousands of eyes looking at the code. Those looking at the code may also not have the skills to look for security vulnerabilities in the software.

“For those of us who use the Internet this could potentially be a major issue. Many websites have been exposed to this bug which could allow criminals to monitor what is meant to be secure traffic to and from the server and collect sensitive data such as passwords, account credentials and financial data. The bug is also inherent in various versions of Linux and Android platforms which could expose mobile phone users to similar threats.

“For the IT manager it causes a headache as not only does she have to ensure that all her servers using SSL are not exposed to the bug, and if they are to remediate them, but the IT manager will also have to ensure lots of devices which rely on OpenSSL for security are not similarly exposed. These devices could be VPN solutions, firewalls, email servers and many other types of systems.

“The additional concern is that this bug could have been exploited by criminals many months before it was discovered by security researchers. This could mean that sensitive data has been exposed for quite a while,” Honan said.

A weakness in the open source model?

Williams denies that the Heartbleed debacle exposes the ugly side of open-source security components.

“What ‘ugly side’ of open source? Yes, open source can have its drawbacks, it has brought the IT world some of the best technology in use on the internet today. Many interactive, database driven web sites rely on the “LAMP” stack – which combines the Linux operating system (open source), Apache web server (open source – and used by over half of all web sites), MySQL database (open source) and php programming language (yes, also open source). Hundreds of other open source projects have enabled everything from secure communication to image manipulation, data storage to education – and have made possible projects, products and technological advances which otherwise would never have happened.

“The widespread use of OpenSSL is what has caused the potential impact of the HeartBleed vulnerability to be so broad. But we see similar security risks arising from the monoculture aspects of many other critical elements in use by modern IT – the massive dominance of Windows as a desktop operating system being an obvious example.”

Williams said there are thousands of software developers, system admin staff, etc. around the world scrambling to update their systems in light of HeartBleed. “The labour costs alone will likely run into millions of dollars – and that’s excluding potential financial costs if hackers have succeeded in profiting from using the vulnerability against targeted systems. How many of those developers who have gratefully adopted and relied on the OpenSSL code have ever sought to donate towards its ongoing development and maintenance?

“The core development team is just a handful of developers. If there is an ‘ugly side’ to open source it is that many of those happy to make use of open source products don’t make even a token contribution to their upkeep,” said Williams.

Should we change our passwords or not?

The big question most users are asking themselves is should they change their passwords or adopt a wait-and-see attitude.

“Relying on passwords alone has long been acknowledged as a poor method of user authentication,” says Williams. Two-factor authentication (by means of a security token, SMS text message to the user, or similar) significantly increases security.

“Users who use the same password for multiple systems will obviously have most to fear were an attacker to steal their password from a compromised system.  If you have done this, change it today before you have reason to regret it tomorrow…

“Likewise changing your online passwords on a regular basis, although it can be tiresome, is a prudent step to enhance your online security,” Williams said.

Honan believes people should determine if the sites or services they are concerned about have been exposed to the bug before changing passwords or get into the habit of using password manager solutions.

“Those managing these sites and services should notify their user base whether or not they have been exposed. If that service has been exposed then wait until the provider has remedied the issue before rushing to change your password.

“If you change your password before the remediation has been completed you are potentially exposing your new password and gaining no benefit. 

“They are a number of sites that have been set up where you can check to see if the site/service you are concerned about has been exposed, such as the Mashable website.

“I would recommend that people ensure they use secure passwords for all their key online accounts and systems, and also use different passwords across those systems. To manage these accounts you should use a password manager solution such as Lastpass, 1Password, or Keepass.

“Any system, whether it is a banking system or otherwise, that was using the vulnerable version of OpenSSL are potentially exposed. They should test all their systems, and any sub-components of those systems, for the vulnerability and apply the patch as soon as possible. If their systems have been exposed they should also contact customers and get customers to change their passwords.

“If the system cannot be patched, they should conduct an assessment of the potential risks to the bank and their customers and decide whether or not they should take the service offline, similar to what the Canadian Revenue Agency shutting down their online tax system,” Honan warned.

So, are there any victims of Heartbleed yet?

Williams points out that it is still unknown if anyone has even been a victim of a cyber attack because of the two year-old vulnerability.

“Those who have found their systems vulnerable are typically following a process of first securing their systems, and THEN notifying users that they should change their passwords – as a precautionary measure. There is no point changing your password NOW on a potentially insecure system if the web site operator has not yet updated their system – the likelihood that still-vulnerable systems are being targeted by attackers has increased exponentially in the last 72 hours since HeartBleed because widely known about and sample attack code was published on the internet.  

“Remember that two different security researcher ‘white hats’ found this vulnerability – and it has been in the OpenSSL code for the last two years,” Williams concluded.

“We just don’t know how many, if any, hackers may have discovered and quietly exploited it up to now.”

Bleeding heart image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com