How to stop the Web’s heart from bleeding5 min read . Updated: 11 Apr 2014, 11:54 PM IST
Affected users, according to the OpenSSL website, should upgrade to OpenSSL 1.0.1g. Besides, most cloud infrastructure services providers have announced fixes for Heartbleed
Mumbai: Companies, governments and other owners of servers now have a cure for Heartbleed, the security bug that has caused mayhem on Web servers across the world this week with its power to leak usernames, passwords, encryption keys and other sensitive information from websites running a version of the open source encryption standard OpenSSL.
Security firms, however, cautioned that website and server owners who do not upgrade their servers with the right version of OpenSSL continue to run the risk of leaving their sites exposed to cyber criminals, who have begun running scans to exploit the bug that has been around for about two years, but does not leave a trace of an attack.
Neel Mehta, a researcher in the Google Security team, and Codenomicon, a Finnish security firm, discovered the bug on Monday in a version of SSL—ironically, the very software that was created to protect sensitive information in cyberspace. The software, whose full name is Secure Sockets Layer, is depicted by an “s" in the hypertext transfer protocol (https) on sites run by it, including banks and Web-based email site such as Gmail.
Https assures users that the site they have visited encrypts data before transmitting it over the Internet. Many popular Web servers, including a wide array of Unix and Linux distributions as well as OS X, use the open source OpenSSL cryptographic library to perform the task. According to the researchers who discovered the flaw, the code has been in OpenSSL for about two years.
According to a Web server survey released by Netcraft Ltd this month, 66% of servers are powered by technology built around SSL. Most notable among those using OpenSSL are open source Web servers such as Apache and Nginx.
The combined market share of just those two Web servers—Apache and Nginx—on the Internet was more than 66% (of nearly 959 million websites surveyed), according to Netcraft’s April 2014 Web Server Survey. Besides this, OpenSSL is used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL virtual private networks, or VPNs), network appliances and a variety of client-side software.
The bug has been christened Heartbleed (codename: CVE-2014-0160; CVE stands for common vulnerabilities and exposures) because it can potentially leak up to 64 kilobytes memory (likened to a single “heartbeat"; there may be many such heartbeats) to an attacker from any server using the (1.0.1, 1.0.1f, 1.0.2-beta and 1.0.2.beta1) versions of OpenSSL.
This, according to security firm Kaspersky Lab, could have enabled anyone on the Internet to read through the memory of a machine that’s protected by a vulnerable version of the software. “In the worst-case scenario, this small block of memory may contain something sensitive—user names, passwords, or even the private key which is used by the server to keep your connection encrypted," the firm said in a statement on Thursday.
Heartbleed, it cautioned, leaves no traces “so there is no definite way to tell if a server was hacked and what kind of data was stolen".
“Catastrophic is the right word. On the scale of 1 to 10, this is an 11," wrote Bruce Schneier, chief technology office of Co3Systems and a fellow at Harvard University’s Berkman Center, US, on his personal blog on Wednesday.
According to Ashley Thurston, a researcher at security firm Dashlance Inc., Heartbleed has put millions of websites at risk, allowing an intruder to “undetectably" intercept data between a user and the websites they use. “The keyword here is undetectably—it’s impossible to know if a site that was affected by Heartbleed was in fact exploited. All we can know is which sites were at risk," he said.
The good news is that OpenSSL has fixed the bug. Affected users, according to the OpenSSL website, should upgrade to OpenSSL 1.0.1g. Besides, most cloud infrastructure services providers have announced fixes for Heartbleed. Microsoft Corp. said its Azure cloud platform has been largely unaffected, but warned that customers running Linux images on it may be affected. Public cloud providers such as Google Inc. and Amazon Web Services also issued updates to inform customers what systems had been patched and what measures needed to be taken to prevent the bug from affecting websites.
“Bugs in a single software or library come and go and are fixed by new versions. However, this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously," cautions heartbleed.com, created after the discovery of the bug. Leaked secret keys allow an attacker to decrypt any past—and future—traffic to the protected services and impersonate the service at will, it adds.
According to Kurt Baumgartner, a researcher at Kaspersky Lab, a few hacking groups believed to be involved in state-sponsored cyber espionage were running scans to exploit the bug. “The numbers were gradually increasing and this was even more evident when security software company Rapid7 released a free tool for conducting such scans. This problem is insidious and devices besides servers could be at risk because they run software programmes with vulnerable OpenSSL code built into them," he said in a statement.
In 2013, there was a 62% increase in the number of data breaches over the previous year, resulting in more than 552 million identities exposed, proving cyber crime remains a real and damaging threat to consumers and businesses alike, according to a Tuesday report by security firm Symantec Corp.
Schneier of Co3Systems advises users that after patching up their systems, they should get a new public/private key pair, update their SSL certificate, and then change every password that could potentially be affected.
On the positive side, reads the heartbleed.com site: “For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well."