The Heartbleed bug, named by Finnish cybersecurity company Codenomicon, is considered one of the worst security bugs ever to have struck the internet.
Cryptographic software is widely used to secure data such as usernames and passwords. OpenSSL, which is an open-source implementation of the Secure Sockets Layer (SSL) protocol, is a popular example. It’s in OpenSSL that the Heartbleed bug resides. Under normal circumstances, OpenSSL encrypts information to make it completely inaccessible to unauthorised users, but a weakness – discovered by Google security engineer Neel Mehta – allows for the information to be stolen.
OpenSSL is used primarily for communication security, so many of the sites that the Heartbleed bug compromised contained sensitive information, including e-mail and instant messages. It also compromised some virtual private networks (VPNs).
Codenomicon’s vulnerability test
The bug found in the code of OpenSSL is officially referred to as CVE-2014-0160, where CVE stands for “Common Vulnerabilities and Exposures.” In a study conducted by Codenomicon, security engineers attempted to exploit the weakness by attacking their own system. Without using any credentials or privileged information, they succeeded in “stealing” the secret keys for security certificates, user names, passwords, e-mails, instant messages and critical business documents.
Who has been affected?
It’s safe to assume that more people and companies have been attacked than we are currently aware of. One of the most dire consequences of the Heartbleed bug was the theft of 900 Canadian social insurance numbers from Canada Revenue. When the attack was first discovered, the agency shut down its web site altogether and even pushed the taxpayer filing deadline from April 30 to May 5. In response, the Royal Canadian Mounted Police offered to provide credit protection services at no cost.
Also reporting attacks were the UK parenting site Mumsnet, which had several user accounts – including that of the CEO – hijacked, Cloudflare and the University of Michigan, where several faculty computers were compromised. Many more reports have been made, but unfortunately, due to the nature of the bug, it’s impossible to tell if data has already been compromised.
How do we protect ourselves?
In a quick response, Fixed OpenSSL was deployed with the CVE-2014-0160 bug repaired, and many companies were fast to adopt the more secure protocol. There may, however, still be late adopters, so anyone uncertain about the security of a particular website or online service should perform a quick check. Several services, such as LastPass, allow you to enter the URL of a site and will then tell you whether that site uses the old version of OpenSSL or the new Fixed OpenSSL.
Author: This article was contributed by PM&A Consulting, an IT support and consulting company based in Cape Town.