FLASH: Heartbleed SSL vulnerability
There is a new exploit that has been detected in the fundamental security protocol that enables secure communications between a company’s servers and your computer or device. The exploit has been dubbed “Heartbleed” (CVE-2014-0160), because it exploits a vulnerability in the the heartbeat of the OpenSSL version of Secure Sockets Layer (SSL) security protocol. The thing that makes this problem particularly serious is that while exploiting the weakness, the hackers leave no indication of their activities or whether it’s been exploited at all.
Before getting into this in more detail, here’s some background. SSL is the protocol that establishes a AES-256 encrypted connection between a computer/device and a web server (see the Encryption section of the Glossary for more information). There are several software packages available to companies that support SSL, though two of the most popular are from RSA and OpenSSL. Only specific versions of OpenSSL are at risk and there is no risk from non-OpenSSL packages. Though roughly 2/3 of servers use OpenSSL, it’s not clear how many are using the tainted versions. The tainted versions have been available for roughly 2 years. OpenSSL is preferred because (a) it’s cheaper and (b) it’s bundled with most Linux server software, which is the most commonly used OS for servers (again, because of its lower cost).
The “heartbeat” is a periodic data packet (64 KB in size) that one computer sends to another that says: “I’m still alive here, let’s keep the connection in place.” An “exploit” is a weakness in a server or computer that will allow a hacker to gain unauthorized data and/or control from a computer.
In this particular exploit, the heartbeat can be used to read unauthorized data from the web server’s memory in 64 KB chunks. This has the following implications:
- The data that is acquired is from the web server and not your computer or device.
- The data that is acquired is read from the server’s memory and not its disks or databases. Whatever data it acquires, is data that is currently active on the server. This means that for any of your personal data or login credentials to be at risk, the exploit needs to be occurring while you are connected to the server (or recently been connected to the server).
- Since the exploit can be used to acquire a web site’s primary or secondary encryption key, it can allow the hacker to listen into communications (which of course has more wide-ranging implications).
So, this is a different type of exploit than the type where a hacker gets access to a company’s databases to download data from their customers. However, since it’s at the heart of secure communications, its even more serious diabolical.
So, what should I do?
As noted, though the exploit has been shown to be real and relatively easy to leverage, companies have been scrambling to identify servers at risk and fix them (there is a repaired version of OpenSSL available). Though there is evidence that the hacker community has known about the weakness, there is no evidence anything has been stolen.
There is a way to determine if a given website is clean of this exploit. Go to http://filippo.io/Heartbleed/ and enter in the URL of the site you’re concerned about. It will tell you if the site is clean or at risk. Be aware that you might get timeouts or other errors, which largely mean that they are rejecting or ignoring the heartbeat. I’ve done it with all the critical sites that I usually use, including Amazon.com and gmail.com. All sites were clean of the problem.
Do not log into a site that isn’t clean. So, for the foreseeable future, when attempting to use an encrypted site, check the URL first, then log in. BTW: Once you check the site, you don’t need to check it again.
Finally, once you know a site is clean, it’s a good idea to change your password. There is no test to determine whether a given site was infected and I suspect companies are not going to rush to provide notification. All normal password recommendations remain crucial going forward. See the change passwords section of my post Your technical New Year’s Resolutions for thoughts about passwords.
Keep an eye on financial transactions, your credit report and for any other anomalous activity that might indicate your data has been compromised.
For more information about this particular exploit, see the following sites:
- Heartbleed.com – A website put up specifically for information about this problem.
- CNET’s How to Protect yourself from the Heartbleed bug
- NY Times article on the exploit.
If I get any more pertinent information on this exploit, I’ll update this post. Be careful out there …