Heartbleed Bug Bit Before Patches Were Put in Place
It’s been a little less than a month since the Heartbleed bug and was discovered and less than two weeks since the public was informed about it. The bug is a “trivial” programming error made in early 2012 and discovered by Google in March that non-trivially affects the OpenSSL (secure socket layer) cryptographic software library.
As described at
Google’s Codenomicon's Heartbleed.com website, the error “allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.” What’s more, an attacker exploiting a system that hasn’t fixed the error doesn’t leave an overt trace of their activity.
While last week saw a lot of speculation about the ultimate severity of Heartbleed, this week some of the consequences were starting to be felt. First, on Sunday, ComputerWorld reported that Akamai Technologies, whose network handles 30 percent Internet traffic, announced that a researcher had found a “bug” in its Heartbleed patch. As a result, ComputerWorld stated, “Akamai is now reissuing all SSL (Secure Sockets Layer) certificates and security keys used to create encrypted connections between its customer's websites and visitors to those sites.” The article notes that Akamai runs 147 000 servers in 92 countries.
Then, the Canadian Revenue Agency (CRA) on Monday announced that the Social Insurance Numbers of some 900 people had been compromised over a six-hour period before the agency's systems could be taken offline and patched. The CRA has delayed the tax filing deadline from 30 April to 5 May because of the bug. On Wednesday, the Royal Canadian Mounted Police—which was investigating the intrusion and had convinced the CRA to delay its announcement of being hacked in order to help with its inquiry—announced an arrest of a 19-year old Ontario computer science student in connection with the theft.
British parenting website Mumsnet also reported on Monday that it had been hacked with possibly the records of all of its 1.5 million user accounts had been compromised last Friday before a fix could be applied, the Daily Mail reported. Mumsnet founder Justine Roberts said she only “realized the extent of the problem when her own account was attacked,” and urged users to change their passwords.
The Sydney Morning Herald then reported on Tuesday that GE Money Australia was warning customers of the financial websites it operated, “including the Myer Visa Card and Myer Card portals, as well as Coles Mastercard” along with a “number of other GE partner websites, including 28degrees Mastercard” that they were vulnerable to the Heartbleed bug. GE Money was recommending that those customers change their passwords. However, GE Capital, the parent company of GE Money, tried to tamp down customer worries by saying that it had “no reason to believe any customer data has been compromised.”
Also on Tuesday, the Guardian newspaper reported that some 50 million devices if not tens of millions more running Android 4.1.1 might be vulnerable because of the Heartbleed bug. Those running Android version 4.1.2 are not vulnerable, the article stated. Google says that, “We have also already pushed a fix to manufacturers and operators,” but it is unclear how many of the devices will actually end up having the fix installed. An interesting article in MIT Technology Review discusses in more depth the likely long-term legacy of Heartbleed because of the sheer number and types of devices that may never receive a bug fix.
Last week, American Banker reported that the U.S. Federal Financial Institutions Examination Council had issued a warning to U.S. financial institutions to bolster their security in light of the Heartbleed bug, including asking them to “strongly consider” recommending that their customers change their passwords. However, American Banker noted, many major U.S. banks, including Bank of America, Capital One Financial, JPMorgan Chase, Citigroup, TD Bank, U.S. Bancorp, Wells Fargo and PNC Financial Services Group, have publicly stated that they were not affected by the bug. That said, on Wednesday, American Funds, the third-largest mutual fund family, recommended that its 825 000 customers change their passwords, Reuters reported, because there had been “a very narrow window of risk.”
Also on Wednesday, ArsTechnica reported that security researchers announced that OpenSSL-powered VPN networks could be compromised. Last week, researchers were not sure whether the threat was real or only theoretical in nature: now they know. These networks are now being urged to be fixed as soon as possible.
Yesterday, the New York Times did say there was a bit of good news. Security researchers at the Berkeley National Laboratory and the National Energy Research Scientific Computing Center, the Times stated, “have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for responses that would indicate a possible Heartbleed attack.” So far, they have not been able to find any. This doesn’t mean that there weren’t any such attacks before January, however.
The findings do lend just a bit of support to the NSA’s claim that it didn’t exploit the bug, or that it didn’t know about until its public disclosure. Bloomberg News stirred up a hornet’s nest of outrage when it reported last week that not only did the NSA have knowledge about the bug, but has been exploiting it since it was accidentally created in 2012. Bloomberg based its story on two anonymous sources who claim to be “familiar with the matter.”
The Bloomberg story raised the interesting issue of how and when to disclose such a major security problem. Apparently, once the programming error was discovered by Google, neither that information nor the fix was shared with the U.S. or other governments, nor with a whole host of vulnerable organizations, before the Google made its public announcement or fixed its own systems. Now Google is being accused of “being selfish, putting its corporate interests before global internet users' security, playing favourites, and waiting too long to report the serious Heartbleed security bug to the open-source project whose software contained the critical error.” Expect this issue of when and how to make a bug disclosure of this magnitude to be hotly debated into the foreseeable future.
The New York Times article also reported that University of Michigan computer scientists have been monitoring their Internet honeypots of fake data since the disclosure of the Heartbleed bug to see whether intruders would try to use it to access them. So far, “they’ve witnessed 41 unique groups scanning for and trying to exploit the Heartbleed bug on three honeypots they are maintaining. Of the 41, the majority of those groups—59 percent—were in China.”
While the damage reported so far doesn’t look severe, over the next few weeks, months, and possibly years, there will no doubt be more announcements of Heartbleed bug vulnerabilities and related intrusions. As security company Symantec notes, while the focus has been on vulnerable websites, the bug “equally affects client software such as Web clients, email clients, chat clients, FTP clients, mobile applications, VPN clients and software updaters, to name a few. In short, any client that communicates over SSL/TLS using the vulnerable version of OpenSSL is open to attacks.”
Even trying to determine whether the website you are visiting, let alone a connected device you are knowingly or unknowingly using, is Heartbleed bug-free, is not the easiest thing in the world to accomplish. According to a story at the Guardian, 95% of the most popular detection tools to determine whether a web services they are using or hosting has the flaw are not reliable. However, if the websites you use have indicated they are patched, as the IEEE announced earlier this week, it would be a good idea to change your password now.
One useful thing that the Heartbleed bug has done is to expose just how potentially fragile Internet security really is and how much of its security depends on the kindness of a group of 11 volunteers who work on the OpenSSL Project. While the publicity has sparked debate whether this is ideal or needs to be revisited, exactly how to improve the situation will likely remain open to discussion for quite some time I suspect.
[Update: The domain Heartbleed.com is owned by Codenomicon, not Google, as originally stated.]