Tuesday 15 April 2014

Everything you need to know about the Heartbleed bug - PART 1

What is the Heartbleed Bug?

The Heartbleed bug is a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it works: the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.
Ed Felten, a computer scientist at Princeton (and, disclosure, my former graduate advisor) says that attackers using the technique can "sort through that information by doing pattern matching to try to find secret keys, passwords, and personal information like credit card numbers."
I don't need to explain why exposing passwords and credit card numbers could be harmful. But exposing secret keys can be even worse. This is the information servers use to unscramble encrypted information it receives. If an attacker obtains a server's private keys, it can read any information sent to it. It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information.
SInce the bug was announced, website operators have scrambled to update their software and take other precautions required to secure their sites. The precise number of affected websites isn't known, but the vulnerability is believed to affect a significant fraction of all secure sites on the web.
Because the Heartbleed attack is generally focused on servers, there is nothing users can do to protect themselves when using a vulnerable website. But once a secure website has fixed the problem, it's important for user to update their software to ensure that previously-captured passwords are not used for malicious purposes.

What is the Heartbleed Bug?

The Heartbleed bug is a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it works: the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.
Ed Felten, a computer scientist at Princeton (and, disclosure, my former graduate advisor) says that attackers using the technique can "sort through that information by doing pattern matching to try to find secret keys, passwords, and personal information like credit card numbers."
I don't need to explain why exposing passwords and credit card numbers could be harmful. But exposing secret keys can be even worse. This is the information servers use to unscramble encrypted information it receives. If an attacker obtains a server's private keys, it can read any information sent to it. It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information.
SInce the bug was announced, website operators have scrambled to update their software and take other precautions required to secure their sites. The precise number of affected websites isn't known, but the vulnerability is believed to affect a significant fraction of all secure sites on the web.
Because the Heartbleed attack is generally focused on servers, there is nothing users can do to protect themselves when using a vulnerable website. But once a secure website has fixed the problem, it's important for user to update their software to ensure that previously-captured passwords are not used for malicious purposes.


Which websites are affected?

Affected companies include Tumblr, Google, Yahoo, Intuit (makers of TurboTax), Dropbox, and Facebook, though all these companies say they've fixed the problem. Amazon.com was not affected, but Amazon Web Services, which is used by a huge number of smaller websites, was. Microsoft, PayPal, LinkedIn, and AOL say they weren't affected. Twitter, eBay, Netflix, and Apple have not made a clear statement one way or the other.
Most banking and investment sites, including Bank of America, Chase, E-Trade, Fidelity, PNC, Schwab, US Bank, and Wells Fargo, were not affected. This might be because these companies use encryption software other than OpenSSL, or it might be because they haven't been upgrading to the latest version. Ironically, companies who were running a version of OpenSSL more than two years old were not affected by the Heartbleed bug.

No comments:

Post a Comment