2014-04-15-1757Z


jimcooncat sent me this. I trust his research and, to a large extent, his analysis.

The Heartbleed bug has been big news. The mainstream media embellished the story and got parts wrong, of course. It wasn't as widespread as they tried to make it, but a few big names, notably Yahoo!, were caught using bad software on public facing systems. Here's the inglorious scoop from what I've read over the past few days, likely not all true, share if you like, and more than you want to know:

Heartbleed is a vulnerability in the load balancing portion of OpenSSL, server software that negotiates encryption when a client (usually a web browser) requests a file over https. An attacker would be rewarded with a big packet of the server's raw memory, which might contain anything but very likely nothing interesting if it can even be discerned among the garbage. Advanced attackers do have access to big computing power that they can use to sift through the mess.

Heartbleed, or more correctly the Heartbleed bug, is not any special program or hack that someone made. It was simply some bad coding that one of the contributors to the OpenSSL application had published. Some hackers found that the bad code was exploitable, and a company of one of these hackers made up a logo and branded the exploit when sending along their findings.

Heartbleed only affected newer versions of some Linux and BSD distributions, and the bad OpenSSL was installed only for a few months, not the two years ago since the vulnerable portion was written. Here's the scary part: anyone could have reviewed the code anytime, but no one did, even though most techs thought someone with resources would have (such as IBM) after a small problem surfaced a couple years ago in the Debian distribution.

The original programmer's really sorry and doing his best to help, but this could end up causing big damage to the free software community. He was allowed to commit his work without supervision. He had chosen to bypass a standard memory function because it didn't work correctly on OpenBSD, arguably the most secure modern operating system available. The maintainers of OpenBSD are livid, because they were now distributing the bad OpenSSL, and say that when the programmer's original code didn't run correctly on their operating system that should have given him a clue that it wasn't secure. Many hackers are upset and have been messing with websites the programmer's associated with.

The stodgier institutions like many online banking services I deal with weren't affected, because they run proprietary Transport Layer Security packages. Neither are websites who run free software that hadn't upgraded in the last year or so, and many haven't because the distributions are still supporting the older versions. Microsoft, whose products weren't affected, hasn't jumped on this yet with it's PR machine.

Passwords are very difficult for an attacker to exploit on any system that uses the standard security for them, which doesn't actually store them in clear text. If customer service can't give you your password but instead has to reset it, they're doing it right. An attacker to exploit passwords stored this way has to use slow, expensive methods so they usually try to choose their targets.

But even if its difficult for an attacker to exploit passwords, a very good one can steal the website's security certificate. (This wasn't thought possible through Heartbleed until published yesterday.) Now, if they can wedge themselves between the customer and the website they would be able to spoof it, now capturing anything the customer entered. Once again, it's difficult and expensive, so they would choose targets like a bank manager's login, not an individual customer, so they could steal and sell account numbers and let others try to exploit.

Many in the tech community are not giving Heartbleed much attention because they feel the entire security certificate structure has been subverted for years due to a lack of oversight by providers like Verisign and Thawte. They believe these types of exploits have been happening all along because of bogus and stolen certificates.

Another type of software is also vulnerable because of this bug, and I'm glad I never implemented it. This is the OpenVPN package that many companies use for remote access to work. Likely this part might not make it to mainstream news, but many larger companies are exposed.

Back to blog or home page

last updated 2014-04-15 13:58:45. served from tektonic.jcomeau.com