A critical hole was found in the coding of the Internet’s iron wall, potentially causing security breaches for millions of websites.
This hole has been named the Heartbleed bug and affects websites using OpenSSL to protect their encrypted data like passwords and other crucial information users enter. OpenSSL is an open-source toolkit that implements secure sockets layer (SSL) and transport layer security (TLS) protocols, according to the OpenSSL website. The heartbeat portion of the SSL keeps a connection alive for a short period of time after the connection is closed. The plan behind this is for one party to be able to tell if another party is still connected or not.
Michale Pisa, associate director of infrastructure for Campus Technology Services, said that the school has made the proper steps to secure their servers.
“We’ve identified and patched four boxes and expect minimal impact [from the bug],” Pisa said. He said that by 7 p.m. Thursday night all campus systems should be updated.
A list of the top 10,000 websites were scanned for vulnerability on Tuesday. This scan, conducted by GitHub user Mustafa Al-Bassam, revealed that 5,683 websites had no SSL, 630 websites were found to be vulnerable and 3,687 were found to not be vulnerable. Among those 630 were Yahoo.com, Weather.gov and RollingStone.com. Sites like Google.com, Facebook.com, YouTube.com, and Twitter.com were not vulnerable at the time of the scan. These websites either fixed the issue before the public found out or have since patched the bug.
Web server developers Apache and ginx are most known for their use of OpenSSL. A Netcraft survey for April 2014 shows that 66 percent of all active websites use these servers. A simple way to find out if a website has fixed the bug is through the Heartbleed test, found at filippo.io/heartbleed. Once at this page, users can search the website in question and it will say if that site is vulnerable or not. Going even further, LastPass.com has released a similar service, which shows what type of SSL is being used by the server in question.
When run through the LastPass Heartbleed checker, Oswego.edu SSL certificate shows as dating back to Aug. 2, 2013. Since this is from before the Heartbleed bug was made known publicly the website could have been compromised. However, login pages for Angel and MyOswego have come up with results showing they are not vulnerable. Pisa said the Oswego.edu site is included in the security updates being applied to campus systems, but impacts for students run beyond campus.
“There’s an impact overall,” Pisa said. “There’s potential significant impact anywhere in your life.”
The problem, according to Visiting Assistant Professor Gary Ritzenthaler, is for those users who utilize the same password for multiple accounts.
“If someone managed to get hold of a password, one of the more common methods of identity theft is if you find one password that person uses it for everything,” Ritzenthaler said. “Let’s say you find a Gmail password, you change the Gmail password so they can’t get in again, look through all their email to find out what else you can find you about them and then start trying that password plus whatever else you know on more important sites.”
Ritzenthaler compared the security problem to being in a hospital during an outbreak of a virus.
“Right now you’re walking through a hospital ward where everyone is sick,” Ritzenthaler said. “Are you going to get sick? You don’t really know until you do. You do as if you were walking through a hospital ward, you be careful what you do and then watch for signs of being sick.”
Discovery of the bug
The Heartbleed bug was first found by a team at Codenomicon along with a member from Google’s security team. The bug was then reported to the National Cyber Security Center Finland to let OpenSSL know about the security failure. Codenomicon’s website states the company “leverages its in-depth understanding of infrastructure, network and application protocols, flaws and test methodology to provide a simple yet unparalleled security and robustness assurance solution.” It uses a software called DEFENSICS, which tests various systems for security issues and improves them.
According to Heartbleed.com, a website launched by Codenomicon for the announcement of the bug, the name comes from a bug originating “in the OpenSSL’s implementation of the TLD/DTLS (transport layer security protocols) heartbeat extension (RFC6520.)” The website continues to explain that the error comes from a programming mistake which is allowing encrypted data flow from the server being contacted (a website) to the client (or person visiting the website.)
The bug came about two years ago, making the problem so large-scale and not as simple as just changing a few passwords. Since the bug has been out on the Internet, anyone could have found this information and just had not said anything. No one knows if this hole has been used to gather data, as there would be no evidence left behind when someone launched an attack.
Fixing the problem
Since encryption codes are leaked through this bug, each code will need to be deactivated and replaced with a new one. However, this cannot be done until a patch in the OpenSSL is released. Fortunately, a patch was released by OpenSSL on Monday, the same day the bug was announced to be an issue. Once the individual servers update their OpenSSL versions they must revoke their certificate keys, according to Heartbleed.com, which explains that once each encryption code is revoked a new one must be put in place. However, they say that any data taken in the past is still vulnerable to decryption.
“The issue is if they’ve actually been compromised,” Ritzenthaler said. “There’s two issues, both of them have to do with identity theft. Essentially it’s the same way you would protect yourself against identity theft.”
To ultimately restore the users’ security, passwords must be changed. However, these changes should not be made unless users know that the Heartbleed problem was fixed with that particular website. According to MIT Technology Review, “if it had a problem and was fixed, you should change your password.”
Pisa reccomends that students change their passwords, since the problem has been around since 2012 in a covert form.
“There’s no way to track if someone has infiltrated you,” Pisa said.
Ritzenthaler suggested that students refrain from doing private things on the Internet.
“For things that require a password, try and do as little as possible and for things that have a fix, change your password,” Ritzenthaler said.