What about this Heartbleed Bug?

cnh

In the news today, security breach that's, evidently, been around for hackers on MANY sites for over two years. Anyone know how bad this is? Have we ALL been pretty much "screwed"? See beginning of article below and links:

http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/

What is it?

It's called the Heartbleed bug, and it is essentially an information leak.
It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there's a good chance that site is using the encryption software that was impacted by the Heartbleed bug.
"It's probably the worst bug the Internet has ever seen," said Matthew Prince, CEO of website-protecting service CloudFlare. "If a week from now we hear criminals spoofed a massive number of accounts at financial institutions, it won't surprise me."

More info in the article link and others. Just google it.

cnh

Dabutcher

Rush said you do not need to reset passwords yet. Because when they build a patch . You will just have to do it again. Probly more Russian hacks like the last time? Peace

payneinthe

If you haven't already, you should enable 2-factor authentication for all important accounts (banks and email, primarily). That way, a bad guy that knows your password still won't have access, since they won't have access to the second-factor device.

http://en.wikipedia.org/wiki/Two-step_verification

Jstas

This is not compromising SSL or DNS. It is an issue with a specific version set of OpenSSL.

OpenSSL is not a way to encrypt websites it is a way to secure a data stream.

On Monday, April 7, 2014, a vulnerability was publicly identified in OpenSSL 1.0.1 through 1.0.1f, encryption software that is widely used to secure websites, including the products that control or serve access to them. The flaw allows an attacker to download up to 64 kB of random, private memory from a server although an attacker cannot specify the location of the memory to read.

The exploit is entirely random because it allows only 64 KB or random memory to be accessed. It's also not necessarily congruent. It has nothing to do with your immediate connection because it's allowing access to server memory and that includes every connection that is still held in memory. It may not even be your info that is accessed. The complete randomness of the access also makes it very, very difficult for an attacked to string together usable info from only 64 KB of memory outside of gigabytes worth of data that changes in time frames measured in milliseconds.

Not every website uses OpenSSL. OpenSSL is an open source version of SSL. Yes, it is popular but there are other versions of SSL servers out there that do not have this issue. OpenSSL is very popular but it is not the only version of the transport protocol.

Two stage verification will not do anything for you in this case. It has nothing to do with your actual connection.

Changing your password is a good idea although the odds of your account and password being full extracted in this bug are slim. Servers have tens of gigabytes of memory. Sometimes hundreds. The bug will allow access to only 64 KB of that memory and it's random and not necessarily congruent. This is likely the biggest reason that it hasn't really been exploited. The information you can get out of it is unusable. Memory changes constantly and to get enough usable information out of memory, you'd have to have hundreds, maybe thousands of nodes that would all hit the exploit at once to read the entirety of the memory. But then you've essentially started a DDoS attack and you're going to shut down the network connection and shoot yourself in the foot anyway.

This is not a sky falling event. The reason this is such a big deal is because, for one, OpenSSL is a security transport layer that isn't really secure. The other issue is that the sheer number of places using it either via primary user or as a secondary user due to using 3rd party software that uses it.

The patch was out last Thursday. By now the majority of the users are patched and the risk is abated.

Does that mean this isn't a risk? No, it is a very real risk and it needs to be patched.

Should you still change your passwords at affected places? Sure. Doesn't hurt to do that regularly at all.

payneinthe

Jstas,

That's an overly optimistic view on this particular bug. The bug allows an attacker to read a large chunk of memory of the process per request (and there's no limit to how many times they can try). Keep in mind that openssl does it's own memory management, so the buffer overrun is going to land you square in the area where the SSL keys are stored. It's extremely conceivable that a moderately skilled bad actor could get the server's private key that could then enable them to decrypt everything going into or out of that server.

2 factor will certainly help in any case where your login credentials could have been compromised. If the malicious party does not have your second factor device, they cannot use your login credentials.

Jstas

A large chunk of memory? You're kidding, right?

64 KB out of gigabytes worth of data is not large in any respect. Maybe in 1983 it was. Especially since it changes constantly. You get one chance to grab stuff before it changes and you can only grab random snippets at that. No matter how many times you can ping the exploit, the odds that you are going to get enough congruent data to complete a file are slim. That means, you get 64 different 1 KB snippets of memory blocks that have a small chunk of data in them that are very likely unrelated to each other. That's if your memory has it's blocking set up that way. It could be finer or it could be more coarse. So you might get a password but not a user name or you might get a user name but not a password. You might get a password reminder question but you won't get the answer. You might get connection information but that can be had via a utility like PortQuery or Wireshark.

Encryption has not been compromised unless, by some small miracle, you actually managed to grab an ENTIRE certificate key. The odds of that are slim. Is it possible? Certainly.

This isn't an optimistic view. This is realistic.

I actually do this system security stuff for a living. I manage multiple SSL/TLS connected systems for transmitting encrypted data all day, every day. I've been dealing with this heartbleed stuff since we found out about it last Thursday night. They only pushed the public announcement on Monday after they figured out just how extensive the bug was so they could do damage control and have a patch ready when the announcement was made.



And two-factor authentication will not help you because the server is what is affected. The heartbeat connection to keep the SSL port alive is where the issue is.

Is two factor authentication a good idea? Yes. It is. But this bug has nothing to do with authentication. The risk isn't that accounts will be compromised but that this circumvents the entire encryption process completely. Anything you can pull out of memory is not secured and the real risk is that certificates can be pulled out of memory. Certificates are secret decoder rings for SSL. You get a certificate, all the two-factor authentication in the world isn't going to help because you can then bypass encryption and authentication on the server once you get in through the backdoor in the heart beat connection. It has nothing to do with the client side although the client side is where the hole starts due to the heartbeat issue.

There is nothing you, as a user, can do to combat this. You just have to wait for the various sites you use that are affected to update OpenSSL to a different/newer version or patch the version they have. If you have software on your local system or your cellphone or whatever that uses OpenSSL and you see updates in the next few days, install the updates. Otherwise, not much you can do. Sorry.

payneinthe

Jstas, I'm not a new to this computer stuff, either ;-)

Since you're always getting openssl memory on each request, you're not talking about trying to find 4K out of 32G of memory. More like 4K out of a couple hundred K. Given enough data, it's really not hard to find a static 4K of data (the cert). That's what makes this so dangerous: private server keys don't change very often. You just need to look for a large block of data (the cert is always in contiguous memory) that shows up frequently. The constantly changing data falls out and the server private key is the only thing that's consistently there, even if it's only in 0.001% of requests, its static nature will make it easy to find.

Jstas

Here, you want to know what passwords you might have that should change:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/


payneinthe...you just restated what I already said.

JerryR1verz

There is definitely a lot of reaction (and panic) to this and not just the geek community. Here are a few links with additional information if you're interested.
Google public announcement;
http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html

“Non Geek” site communication to the general public via NPR (radio) and related story posted on the NPR website;
http://hereandnow.wbur.org/2014/04/09/heartbleed-security-flaw

SANS info
http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc#__utma=81036689.1821271904.1397147036.1397147237.1397151706.3&__utmb=81036689.4.9.1397152806202&__utmc=81036689&__utmx=-&__utmz=81036689.1397147036.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&__utmv=-&__utmk=154969841&__utma=81036689.1821271904.1397147036.1397147237.1397151706.3&__utmb=81036689.4.9.1397152806202&__utmc=81036689&__utmx=-&__utmz=81036689.1397147036.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)&__utmv=-&__utmk=154969841

http://www.openssl.org/news/secadv_20140407.txt

jflail2

Jstas wrote: »

Here, you want to know what passwords you might have that should change:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/


payneinthe...you just restated what I already said.

I was about to post this exact link. Sounds like they'll be adding/updating as they get more details, so I'll probably refresh next week and have another look.