Modern field guide to security and privacy

'Heartbleed' mystery: Did criminals take advantage of cyber-security bug?

Website operators rushed to patch a cyber-security vulnerability called 'Heartbleed' that allows 'anyone on the Internet' to access website server memory without leaving a trace. A major concern: It existed 'in the wild' for two years.

Mark Blinch/Reuters
The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called the 'Heartbleed Bug' in Toronto, April 9.

Website operators worldwide rushed Wednesday to patch a critical cyber-security vulnerability dubbed “Heartbleed” that could affect websites slathered across two-thirds of the Internet, making information thought to be encrypted and secure – credit card data, passwords and private communications – an open book to criminals.

But even as website operators apply the patches, worried consumers eager to protect their own sensitive data are being advised to give the websites time to reestablish security before changing their own individual passwords.

The Heartbleed bug allows “anyone on the Internet” to read the computer memory of website server computers that use vulnerable versions of OpenSSL, which is among the world’s most popular website encryption software, say cyber-security researchers who discovered the vulnerability.

Most concerning, they say, is that Heartbleed has existed “in the wild” – that is, openly on the Internet, for two years – yet because of the nature of the bug it’s virtually impossible to tell whether anyone using it has actually attacked the web’s corporate workhorses – the website, e-mail, database, and chat servers.

“By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys,” reported the Carnegie Mellon CERT website affiliated with the Department of Homeland Security.

So while major websites may be able to conduct a quick fix by updating their software, they are unlikely to know with any certainty whether critical data, including their digital certificates used to authenticate and encrypt data traveling between the websites and the site’s users, have been compromised.

“We attacked ourselves from outside, without leaving a trace," wrote researchers from Codenomicon, a Finnish cyber-security research firm on a website that details its features “Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our [encryption] certificates, user names and passwords, instant messages, e-mails and business-critical documents and communication."

Researchers from Google also identified the vulnerability about the same time and independently alerted the developers of the website encryption software. Netcraft, a firm that monitors website technology, reports that more than a half million sites are currently vulnerable, security researcher Brian Krebs noted on his blog.

“We count at least a few hundred thousand servers using affected library versions, so it poses a significant threat,” Mark Schloesser, security researcher for Rapid7, a Boston-based cyber-security firm, said in a statement. “As the same problem affects other protocols, services such as mail servers and databases, we assume that, overall, we're looking at millions of vulnerable systems connected to the public Internet.”

Encryption software for the so-called “secure socket layer,” or SSL, has made safe online transactions possible and led to burgeoning e-commerce business worldwide. Websites using such software show online users a padlock icon usually in the bottom corner of their web browser – and an HTTPS (S is for Secure) in the address bar of the browser – showing communications are safe from prying eyes.

Attacks on the SSL are hardly unknown. Last month, developers of another encryption system called GnuTLS reported a “catastrophic bug that left hundreds of open-source applications open to similar attacks,” Ars Technica, a cyber-security website, reported. Apple, in February, also reportedly repaired a critical vulnerability to its iOS and OS X operating systems that also made it possible for hackers to sidestep HTTPS protections.

But Heartbleed is unique in the massive scope of its impact: It permits a hacker to compromise the server, and it unveils the secret encryption keys used to encrypt the traffic, including names and passwords of the users and the actual content, without being detectable.

At this point, a fixed version of the software is available, and major website operators were reportedly rushing to apply the patch. Amazon, Google, PayPal, and others also announced fixes, as did Yahoo.

“As soon as we became aware of the issue, we began working to fix it,” Yahoo told CNET Tuesday afternoon. “Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now.”

It’s not clear yet either whether criminals have actually been actively exploiting the Heartbleed vulnerability – or whether they just didn’t know about it – since such exploits are practically undetectable.

“We’ve seen huge growth in the number of data breaches in the past year, but criminals are mostly using other more traditional techniques, which may mean there just wasn’t a huge awareness among the underground of this flaw,” says Orla Cox, a security researcher with Symantec Security Response based in Dublin, Ireland. “The fact that they’re carrying out these noisier attacks means they probably weren’t aware of this stealthier possibility.”

Some researchers who have set out traps, or “honey pots,” may have detected activity related to the vulnerability, the New York Times reported.

But Ms. Cox and other experts aren’t convinced and say the bigger threat is likely to be just down the road. That’s because while big companies with their own IT staffs may be able to fix the problem swiftly and replace their digital security certificates, smaller websites may not be so fast – and could remain for quite some time wide open to any criminals exploiting the vulnerability, they warn.

“I’m more concerned about the future than the past,” says Tal Klein of Adallom, a Menlo Park, Calif., cyber-security firm for cloud-based software services like Google Apps and Microsoft Office 365. The company, which monitors user activity for abnormal activity, hasn’t seen indicators of the vulnerability being exploited. But Mr. Klein says he’s concerned.

“We still expect there to be sites that remain unpatched for a significant amount of time that are more likely to become vulnerable in the next few weeks,” he says.

Symantec’s Cox offers a caveat, though. Her familiarity with Heartbleed indicates that it might not be quite so easy for criminals to capture the crown jewels of a website – the encryption keys – that unveil all that private data.

“It’s definitely a serious vulnerability, but not necessarily a doomsday scenario,” she says. “That’s because while it’s pretty easy to attack Heartbleed, it’s still relatively difficult to extract … the encryption key, and for that reason may not be quite as severe as painted.”

There’s been a lot of confusion over what online shoppers should do to protect themselves, with many experts advising that individuals change their passwords for all e-mail, online shopping, and banking accounts. But researchers interviewed by the Monitor recommended waiting a bit before changing passwords since it may take some time for websites to be repaired. If passwords are changed immediately on a vulnerable site – then the new password is vulnerable, Mr. Klein notes.

In many cases, websites can be expected to contact users if there is a need to reset passwords, the experts say. But they also add that resetting passwords regularly is a good idea.

There are also some tech aids for consumers already popping up. Users of the Chrome web browser can already install a “Chromebleed” plug-in that will alert them to any website not updated and still vulnerable to the Heartbleed exploit. There’s also a website for checking the vulnerability of a site by just copying and pasting the website address into a box.

One tidbit of good news for the Obama administration – it appears as though the main federal site was not one of those vulnerable sites as of Wednesday afternoon, according to the Filippo check.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to