'Heartbleed' mystery: Did criminals take advantage of cyber-security bug?
Website operators rushed to patch a cyber-security vulnerability called 'Heartbleed' that allows 'anyone on the Internet' to access website server memory without leaving a trace. A major concern: It existed 'in the wild' for two years.
Website operators worldwide rushed Wednesday to patch a critical cyber-security vulnerability dubbed “Heartbleed” that could affect websites slathered across two-thirds of the Internet, making information thought to be encrypted and secure – credit card data, passwords and private communications – an open book to criminals.
But even as website operators apply the patches, worried consumers eager to protect their own sensitive data are being advised to give the websites time to reestablish security before changing their own individual passwords.
The Heartbleed bug allows “anyone on the Internet” to read the computer memory of website server computers that use vulnerable versions of OpenSSL, which is among the world’s most popular website encryption software, say cyber-security researchers who discovered the vulnerability.
Most concerning, they say, is that Heartbleed has existed “in the wild” – that is, openly on the Internet, for two years – yet because of the nature of the bug it’s virtually impossible to tell whether anyone using it has actually attacked the web’s corporate workhorses – the website, e-mail, database, and chat servers.
“By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys,” reported the Carnegie Mellon CERT website affiliated with the Department of Homeland Security.
So while major websites may be able to conduct a quick fix by updating their software, they are unlikely to know with any certainty whether critical data, including their digital certificates used to authenticate and encrypt data traveling between the websites and the site’s users, have been compromised.
“We attacked ourselves from outside, without leaving a trace," wrote researchers from Codenomicon, a Finnish cyber-security research firm on a website that details its features www.heartbleed.com. “Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our [encryption] certificates, user names and passwords, instant messages, e-mails and business-critical documents and communication."
Researchers from Google also identified the vulnerability about the same time and independently alerted the developers of the website encryption software. Netcraft, a firm that monitors website technology, reports that more than a half million sites are currently vulnerable, security researcher Brian Krebs noted on his blog.
“We count at least a few hundred thousand servers using affected library versions, so it poses a significant threat,” Mark Schloesser, security researcher for Rapid7, a Boston-based cyber-security firm, said in a statement. “As the same problem affects other protocols, services such as mail servers and databases, we assume that, overall, we're looking at millions of vulnerable systems connected to the public Internet.”
Encryption software for the so-called “secure socket layer,” or SSL, has made safe online transactions possible and led to burgeoning e-commerce business worldwide. Websites using such software show online users a padlock icon usually in the bottom corner of their web browser – and an HTTPS (S is for Secure) in the address bar of the browser – showing communications are safe from prying eyes.
Attacks on the SSL are hardly unknown. Last month, developers of another encryption system called GnuTLS reported a “catastrophic bug that left hundreds of open-source applications open to similar attacks,” Ars Technica, a cyber-security website, reported. Apple, in February, also reportedly repaired a critical vulnerability to its iOS and OS X operating systems that also made it possible for hackers to sidestep HTTPS protections.
But Heartbleed is unique in the massive scope of its impact: It permits a hacker to compromise the server, and it unveils the secret encryption keys used to encrypt the traffic, including names and passwords of the users and the actual content, without being detectable.
At this point, a fixed version of the software is available, and major website operators were reportedly rushing to apply the patch. Amazon, Google, PayPal, and others also announced fixes, as did Yahoo.
“As soon as we became aware of the issue, we began working to fix it,” Yahoo told CNET Tuesday afternoon. “Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now.”
It’s not clear yet either whether criminals have actually been actively exploiting the Heartbleed vulnerability – or whether they just didn’t know about it – since such exploits are practically undetectable.
“We’ve seen huge growth in the number of data breaches in the past year, but criminals are mostly using other more traditional techniques, which may mean there just wasn’t a huge awareness among the underground of this flaw,” says Orla Cox, a security researcher with Symantec Security Response based in Dublin, Ireland. “The fact that they’re carrying out these noisier attacks means they probably weren’t aware of this stealthier possibility.”
Some researchers who have set out traps, or “honey pots,” may have detected activity related to the vulnerability, the New York Times reported.
But Ms. Cox and other experts aren’t convinced and say the bigger threat is likely to be just down the road. That’s because while big companies with their own IT staffs may be able to fix the problem swiftly and replace their digital security certificates, smaller websites may not be so fast – and could remain for quite some time wide open to any criminals exploiting the vulnerability, they warn.
“I’m more concerned about the future than the past,” says Tal Klein of Adallom, a Menlo Park, Calif., cyber-security firm for cloud-based software services like Google Apps and Microsoft Office 365. The company, which monitors user activity for abnormal activity, hasn’t seen indicators of the vulnerability being exploited. But Mr. Klein says he’s concerned.
“We still expect there to be sites that remain unpatched for a significant amount of time that are more likely to become vulnerable in the next few weeks,” he says.
Symantec’s Cox offers a caveat, though. Her familiarity with Heartbleed indicates that it might not be quite so easy for criminals to capture the crown jewels of a website – the encryption keys – that unveil all that private data.
“It’s definitely a serious vulnerability, but not necessarily a doomsday scenario,” she says. “That’s because while it’s pretty easy to attack Heartbleed, it’s still relatively difficult to extract … the encryption key, and for that reason may not be quite as severe as painted.”
There’s been a lot of confusion over what online shoppers should do to protect themselves, with many experts advising that individuals change their passwords for all e-mail, online shopping, and banking accounts. But researchers interviewed by the Monitor recommended waiting a bit before changing passwords since it may take some time for websites to be repaired. If passwords are changed immediately on a vulnerable site – then the new password is vulnerable, Mr. Klein notes.
In many cases, websites can be expected to contact users if there is a need to reset passwords, the experts say. But they also add that resetting passwords regularly is a good idea.
There are also some tech aids for consumers already popping up. Users of the Chrome web browser can already install a “Chromebleed” plug-in that will alert them to any website not updated and still vulnerable to the Heartbleed exploit. There’s also a website for checking the vulnerability of a site by just copying and pasting the website address into a box.
One tidbit of good news for the Obama administration – it appears as though the main federal HealthCare.gov site was not one of those vulnerable sites as of Wednesday afternoon, according to the Filippo check.