A Credential Exposure Nightmare

Ever have that ridiculous bad dream? You know, the one where you were supposed to give a speech in your high school lunchroom, and you suddenly looked down, and there you were standing in your underwear? Well, that dream is a reality now for some coders and web server administrators across the globe.

It’s hard to explain just how much this upsets me.

Heartbleed: Why the Internet's Gaping Security Hole Is So Scary

I am almost happy, when I hear about internet security gaffes that can be fixed with simple vigilance. If someone tries to “social engineer” my mother’s maiden name from me, at least I can shut my mouth and walk away. I only wish this was the case with the latest internet security threat, that has been leaking credentials from web servers across the globe since 2012.

Not so cute

The bug is adorably pet-named, “Heartbleed.” And it has its own logo! Why? Because it’s a bug in something called a “TLS Heartbeat.” But you probably don’t care about that. The sum total of this is a simple coding flaw, in the popular OpenSSL package. That’s an open-source software security tool that is deployed on a huge quantity of web servers. To the horror of security engineers, OpenSSL versions 1.01 through 1.0.1f, and 1.0.2 beta, all come pre-packaged with a garden variety buffer overrun bug. But this time, the simple coding flaw is more than just an “oops.” This bug allows a hacker to trick the web server into returning up to 64 KB of private information, while using anonymous credentials. During a security step called a “handshake,” it leaves a door wide open for information grabbing.

Translation: The web server doesn’t always ask the right questions, and so it can be forced to talk too much.

The information that could be grabbed here is potentially the web server’s key. No, not the public one. The private one. (EEK!) The hack can take whatever is in the cache, and that might contain a password (yours?), instant messages, emails (bad), or it might contain the private key to the server (terrible). If the private key is stolen, then the hacker walks away with the keys to the kingdom. Worse: The attack leaves no trace. No logs, no clues, nothing. That is how it has gone on for this long. Server admins troubleshoot with logs and traces.

The big brains at Google Security, however, are more proactive. Thanks to Neel Mehta for discovering this flaw for the rest of us.

Maybe this has affected you. Or not. We can’t tell – no trace, remember? But maybe there was a day when someone hijacked your webmail, took over your address list, and told all of us that you were on vacation in Madrid when hey, you were beaten, robbed, and forced to impersonate a Matador. If that sounds familiar, then here a way that it could have happened.

(On a personal note, how is your Spanish coming along? Okay, okay, I’ll be serious now.)

Is it really that bad?

There is no need to start stockpiling Corn Flakes and ammunition, but let’s face it: This is bad. Since it affects OpenSSL from v1.0.1 in the year 2012 until the time it was patched in OpenSSL 1.0.1g (recent) and 1.0.2 beta (near future), it means that you don’t really know which web servers are vulnerable right now. Luckily, according to Gizmodo, the Heartbleed bug is not on any major finance or eCommerce sites. In my professional experience, those institutions tend to employ only the software that they know inside and out. They can be violently allergic to risk taking, where their customers’ money is involved. However, if you have had trouble lately with any of these sites, perhaps Heartbleed was a factor.

What do I do now?

Rule number one: Don’t panic. After that?

The web servers must be patched. That is not your job. However, you do have some power here. Exercise it to its fullest:

  1. Test the website. Are you concerned about a site you are using? Try McAfee’s tool for checking the heartbleed vulnerability. If a site you are using tests out as “vulnerable,” investigate further, and stop your use until is fixed.(Note that this is a “beta” version tool, that is not an iron clad guarantee. Read the disclaimers, etc., etc. You know the rest.)
  2. Change your passwords. Today would be a good day. And then, do it again 6 weeks from now. Set a reminder on your calendar, and keep it. Do not delay it, do not talk yourself out of it.Will this fix any bleeding hearts? No. But as soon as that hole is patched, you want your credentials to be different. And really, you should be doing this anyway, for your own protection.
  3. Press the website’s “Support” button. Is the site vulnerable? If you believe that it is, speak up. Call/chat/email. And then, ask difficult questions. You can ask them, “Hey, would you guarantee me that you are patched against the Heartbleed bug?”If they can’t answer you, insist. You are their user, you have the right to know. If they won’t answer you, stop using their site until they do. It’s your data, don’t play games with it. Danger, Will Robinson!

Good news

Yes, there is some good news. The best part is that, since OpenSSL is, well, “Open,” this bug is a known quantity. It was fixed eons ago (in software development time) by the right coders. The question now is how responsive the rest of the internet can be. Servers must be patched by the people who own them, and that can take time. But at least we are now beyond Day Zero.

Read More