Heartbleed, a newly discovered security flaw in the most widely used software for encrypting web traffic, is indeed a “big deal”, as Fairfax and, well, everyone is reporting. It’s a real problem that could affect every Australian’s everyday security online in ways we’re only beginning to understand. Yet our cybersecurity policies focus on esoteric threats like terrorist attacks. Wrong.
More formally known as CVE-2014-0160, its catalogue number in the database of software security vulnerabilities now sponsored by the United States Department of Homeland Security, Heartbleed is a flaw in software called OpenSSL, which is used to encrypt internet traffic — including, typically, the data flows between your computer and a secure website, or between the apps running on your smartphone and the remote computers that provide the services in question.
Without going into the technical details, this flaw could allow an attacker to essentially insert a probe into a server that’s running a vulnerable version of OpenSSL and suck out data that’s meant to be secure — including the private encryption keys and the digital certificates that are used to secure the data connections, usernames and passwords, the secure “cookies” used by internet banking servers or, indeed, anything else of interest — all without being detected.
“Make no mistake about it. The OpenSSL Heartbleed security hole is as serious for internet security as a stage four cancer diagnosis would be for you,” wrote technology reporter Steven J Vaughan-Nichols. OpenSSL is used by default by the Apache and NGINX web servers, which between them run up to two-thirds of all “secure” websites on the internet.
The results of a scan of the world’s 10,000 most popular websites published at 3am AEST today revealed 1312 sites still vulnerable, including those of AirBnB, NASCAR, Gamespot, the Victorian state government and, ironically, that for OpenSSL itself.
Here in Australia, security consultancy Hacklabs reported that as of 9pm AEST yesterday, around 10% of ASX 200 companies’ websites were vulnerable. Hacklabs director Chris Gatford wrote:
“Some sites that were tested and found vulnerable earlier in the day appear to have been patched, which is great work by some busy sysadmins today.”
Using tools that hackers have put online, it’s easy to find plenty of vulnerable sites — including the website of CERT Australia, the very organisation that’s meant to co-ordinate information about threats to our digital infrastructure. Crikey understands that things are rather busy there today.
But it’s worse than that.
While Heartbleed was only publicly revealed this week — once the OpenSSL team had been given a chance to fix the problem and issue a new version of its software to major internet service providers — the flaw has existed since 2012. If anyone else had independently discovered the problem during that time — the US National Security Agency, say, or any number of intelligence agencies, or even criminal gangs — they could have sucked out those encryption keys and passwords and been happily decoding any of the now not-so-secure data. And we’d never know.
The researchers who discovered Heartbleed wrote:
“Bugs in single software or library come and go and are fixed by new versions. However, this bug has left large amount of private keys and other secrets exposed to the internet. Considering the long exposure, ease of exploitation and attacks leaving no trace, this exposure should be taken seriously.”
Which brings me to what I think is the real problem. Big internet service providers have the technical clue and resources to respond to problems like Heartbleed and advise their customers of the potential risks. But mid-rank and small to medium-sized players online will have little idea what Heartbleed even means, let alone how to deal with it.
Heartbleed is the internet equivalent to discovering that the front door locks on two-thirds of Australian businesses could have been opened with a pocket laser, without being detected, at any time in the past two years, because they all used the same internal mechanism. If that happened, we’d be seeing a recall program, advertising in mainstream media, perhaps a government-funded public awareness campaign, certainly front-page headlines and calls for assistance and for heads on spikes.
Imagine the kerfuffle if two-thirds of all cars could be stolen at some time in the future unless their owners took specific action this week.
If those sorts of things happened, the Attorney-General or maybe even the Prime Minister would be out there keeping us informed. After all, they’re always on about the threat of terrorism, even though, as I wrote after Deputy Opposition Leader Tanya Plibersek’s recent comments, terrorism is extremely rare. Heartbleed is a real security threat. So where are they today?
It’s one scary situation.
I noticed that The Mail Online (along with some much more reliable sources) had noted that the Commonwealth Bank of Australia was one of the vulnerable sites.
I rang them this morning and attempted to find out if they’d patched their servers.
Got no sense out of the frontline staff and asked to speak to the IT dept.
No joy there either. (I guess they were *extremely* busy!)
At this stage, I’m wondering if it’s worth changing my password? I’d certainly like to know that the bank’s patched it’s systems before I bother.
(My acct has not been tampered with….yet.)
Heartbleed is the internet equivalent to discovering that the front door locks on two-thirds of Australian businesses could have been opened
It took Lockwood a long time to add key bumping counter-measures to their 001 deadlatch, so don’t press that analogy too hard or you might just find that the government has no real care for the security of the populace, online or otherwise.
As for the bug, being able to pull out 64KB of memory adjacent to the certificate is a shocker, especially given the usual “start SSL, then ask for password” flow of execution of many websites.
Where the government would be useful is in bringing pressure to bear on embedded systems manufacturers. Have you seen even one update for a DSL router yet? Maybe the ACCC can apply pressure via the “merchantable quality” requirements or maybe the government needs to legislate. But if you asked which platforms would still be vulnerable to the bug in a year’s time then most of them will be embedded systems.
I am not sure what I think about small business and computer security. There’s certainly a major issue there. But it’s not just bugs appearing out of the blue which defeats them. No business should be running Windows Xp today, but as I look around…
It’s also interesting to explore the use of the bug to create a business opportunity, complete with nice promotional website.
Far worse @gdt – no government, nor arm of it, should still be running WinXP. Alas…
Interesting podcast from Leo Laport & Steve Gibson on Heartbleed here.
[http://twit.tv/show/security-now/450]
Not wanting to minimize the risk, as I understand it, the hole has been shown to reveal some data. But only potentially to reveal the big risk data. So, an awful lot of COULD and MAY and POTENTIALLY has to be put back into some of the sentences.
yes, it shares plaintext memory state across the network link. But, I haven’t yet seen a write up confirming this actually did share the plaintext/binary of the private SSL key of a server.
the yahoo password/username leak is of course bad. But the ‘reissue your server cert’ thing is mostly (as I have read it) about POTENTIAL risk of keyloss. not actual, confirmed keyloss. I haven’t seen the private key of a server published online anywhere yet. I have seen claims and counterclaims about this. Some say they got their own X509 data. Google says they saw stale buffers only. Perhaps because Google runs popular sites the buffer leak is overwritten rapidly, on a quiet server, more data is preserved