The ‘Heartbleed Bug’ as it was known was an incident that effected companies and people all around the world. The story was shared on TV, radio and a number of companies announced their own reports on the incident, all offering the same advice “change your passwords”. It wasn’t terribly useful advice, and it didn’t really resolve the issue in any way, but it did give you a little extra protection if you happened to be one of the very few who’s personal information was collected during the period of vulnerability, and your username and password just happened to be part of the information that was collected.
So – what was the ‘Heartbleed Bug’? Well the bug itself wasn’t a bug as such, it was a mistake in the software programming of an OpenSSL extension known as the TLS/DTLS heartbeat extension, which created a vulnerability in the software. When exploited it allows the contents of the memory to be ‘leaked’ from server to client and client to server. This leak of the heartbeat extension is the reason that it was so quickly recognised at the ‘Heartbleed bug’, and in fairness – ‘RFC6520 implementation error’ isn’t nearly as catchy or intimidating.
The bug was discovered at the beginning of April, 2015, by a team of security engineers at Codenomicon, as well as an individual from the Google Security team, who discovered the bug while working on improvements for the SafeGuard feature in their (Codenomicon’s) defence security testing tools. The bug was quickly reported to the OpenSSL, as well as to the NCSC-FI for vulnerability coordination, who took up the task of verifying it, analysing it and ensuring that the authors of the OpenSSL software were fully aware of the software, operating systems and appliance vendors that were potentially affected by the bug.
The problem however was that these were not the only people who had found it, in fact the bug had become known to a number of independent users, who had gone on to expose the vulnerability, exploit it and share information about it. Of course there was a patch released in a very short time and organisations around the world updated their SSL quickly, closing the back door that had been found. But there is a problem still; a number of the servers have been updated but are still using their old certificates.
This has been likened to a house, which makes it very easy to understand. The SSL bug provides a back door which has been left open, and once people know it’s open they’ll come and exploit that; walking in and taking what they want. Now, if you can home to find your back door open and your keys gone you’d likely change the locks, wouldn’t you? Well – that’s what it’s like with the server certificates; the patch might have closed the door but it didn’t change the locks, and unless the servers update their certificates and security keys then those who stole them still have access. Studies showed that 97% of servers owned by the Forbes Global 2000 companies (a list of 1,639 companies owning a total of 550,000 servers) are still vulnerable to the OpenSSL flaw, because the certificates have not been updated.
The use of these certificates means that a number of those who exploited the bug still have the ability to access sensitive data being communicated through the SSL. This might not concern you too greatly, but of the servers still deemed to be vulnerable 44% are owned and operated by telecommunications services, and of course these do handle a lot of data on a daily basis. Of course another problem is that not all of the servers in these companies have actually been patched, as the studies focused on only public facing severs it is difficult to tell just how many servers there are internally and inside firewalls that have not yet been patched at all.
While it may be that there are still risks present as a result of the Heartbleed incident it isn’t all bad news. In fact the aftermath has ensured a vast number of updates in all sorts of systems and software to combat the Biggest Security Threat, which means that cyber criminals, their infrastructure and secrets have been exposed and many of the gaps in systems that they had been exploiting have been patched among these new updates, giving us a more secure experience for the time being. Of course we should all aim to gain more knowledge about the security measures in place on our servers and the task of maintaining, updating and testing these, to ensure that similar issues do not occur in the future, as well as to ensure that we don’t continue to suffer as a result of this issue.
Image Credit: http://www.bohn-inc.co.za/blog/biggest-security-threats-2014/
Kate Critchlow is a freelance writer working in a wide variety of industries to provide informative and accurate information, but with a particular interest in IT security and technology.