The Heartbleed bug, a security flaw in the popular OpenSSL library used for data encryption, has taken the web security world by storm, and the victim toll has started to rise. The first reported victims include the Canada Revenue Agency (with 900 social security numbers stolen) and Mumsnet, a popular UK website with over 1.5 million members.
Is Heartbleed that dangerous, or are we simply crying wolf?
The Heartbleed bug has been dubbed as one of the most dangerous security vulnerabilities to hit the Internet – ever. “Heartbleed is a catastrophic bug … [o]n a scale of one to 10, it’s an 11”, said renowned security expert Bruce Schneier.
With half-a-million widely trusted websites deemed to be vulnerable, leaving your site to chance is tantamount to playing with fire.
The Heartbleed flaw has impacted various prominent websites and services, most of which you probably use every day, such as Flickr, Pinterest, and Yahoo. It has also affected search engines, banks and online shopping sites; sites where protection of personal data is paramount.
What exactly is Heartbleed bug?
Officially referred to as CVE-2014-0160, the bug has been present for a few years - since version 1.0.1 of OpenSSL was released in March 2012 - but was only discovered Monday, last week.
Although there’s no shortage of conspiracy theories online, Dr, Robin Seggelmann, the German software developer who introduced the security flaw into the encryption protocol confirmed that this was an “unfortunate miss”, further pointing out that the absent validation was also missed by a second reviewer.
The vulnerability enables hackers to easily steal chunks of, previously secure, sensitive data such as passwords, instant messages, credit card details, user names, session cookies, and encryption keys, from servers running on the vulnerable OpenSSL versions…without leaving a trace.
Once a hacker has this data the consequences can be various, including identity theft, phishing attacks and further attacks – especially if the hacker gets his hands on the website’s encryption keys, which essentially are the golden tickets to continue impersonating the site even after it’s patched.
Apache and nginx, popularly used open source servers which run on 66% of websites, use the open-source encryption library to keep data secure by default for their server software.
Confirmed Heartbleed victims
High profile websites are coming forward as confirmed targets of Heartbleeed attacks.
The Canada Revenue Agency (CRA) reported that the social security numbers – which could be used to gain access to government benefits or perform identity theft – of roughly 900 Canadian taxpayers were pinched from their systems via an attack enabled by the Heartbleed bug. Even though the CRA took action and denied public access to its services the day after the bug discovery was announced, hackers still had a window of opportunity to make off with sensitive data belonging to Canadian businesses and citizens alike. The CRA are still sifting through their systems to find out what other data was stolen.
Mumsnet, a popular British parenting website, and its 1.5 million users, have also been targeted by Hearbleed bug attacks. Hackers exposed users’ data, such as passwords, from their login page. Mumsnet have since fixed the vulnerability but since the attack leaves no trace, they have no way of knowing how many of their users’ are at risk, and hence are advising their user base to change their passwords just in case.
Attacks done through the Heartbleed bug don’t leave any trace whatsoever, so it is impossible to know for sure what damage has been done – how much data has been stolen, what data was exposed, how many people have been impacted and how many users are still at risk.
So, how did the confirmed reports of Heartbleed-related attacks know what was stolen and how, you ask?
Well, the attacker could have easily stolen a session cookie or login credentials (via the Heartbleed bug) of an admin account or privilege user account, which in turn was used to gain access to the system and steal the rest of the data – in these cases, social security numbers and login details. The process of using admin account credentials to access data would have been logged and is hence track-able.
What can you do?
- Change your passwords for all your important online accounts, particularly if you use the same password for different accounts - including email, social media and banking accounts, of websites that were affected and have patched the vulnerability. It’s important to change your password(s) after the affected websites have patched the vulnerability – you might as well hand hackers your new password on a silver platter if you change it before a patch is in place. Unfortunately, even if a vulnerable website patched the bug, hackers may have already got to your password before it was patched, so you’re still at risk. Mashable has created a useful list of passwords that you need to change now – make sure to create different passwords for each account.
- Find out if your website is vulnerable. Use a vulnerability scanner to scan for and detect the Heartbleed bug.
- If vulnerable, upgrade to the newest version of OpenSSL, 1.0.1g which patches the vulnerability.
This bug has received so much press that it was patched immediately by many affected websites and services after it was discovered, but the reality is, there will always be a crack in the security wall that will be exploited.
Software bugs that cause vulnerabilities will continue to exist, due to human error in the software’s design process. The Heartbleed bug, which was an error in OpenSSL’s code, was only just discovered – two years after it was released … meaning it’s been in the wild for quite some time.
Although it’s always difficult to protect against ‘new’ vulnerabilities, having a reputable scanner installed, and keeping your software up-to-date, are always the best defense strategies.