The only thing more popular to talk about on the Internet this week beyond larger iPhone rumors and Steven Colbert being chosen to replace David Letterman is the Heartbleed Bug. Since news of the Heartbleed bug first came out this week we’re continuing to hear more and more about how the bug came to be, what sites have been affected, and now at least one major news source reporting that rumors that the NSA had been exploiting the OpenSSL flaw for two years or so are true.
Before we get into an update on all of that, here is a primer on what the Heartbleed Bug actually is.
The Heartbleed Bug is a flaw in the OpenSSL cryptological library, an open source encryption protocol that as much as two-thirds of the Internet uses to encrypt communication between websites, Apps, services and users. Email, messaging, VPNs, Apps, as well as ordinary websites could be impacted. Estimates are that over 500,000 sites may have been affected and those estimates continue to rise.
What has happened is that for over two years encrypted data stored on servers has been left open to theft along with the encryption keys for that data. If malefactors have taken both the encrypted data and the crypto keys to decode it, then it is as if no encryption protection had been afforded in the first place. Websites and services that do not implement a patch provide a potential threat going forward.
In OpenSSL there is unfortunately no logging of activity that would show a record of malicious activity, and thus many websites and Apps are having to assume they may have had data compromised and are now taking steps to correct this.
We posted a How to Protect Yourselves post here. The most important thing to do is not have the now typical reaction that many of us have when we hear about a security issue, which is to immediately change your password. Users are advised to wait until they are notified by websites and services they use that the security flaw has been patched on those sites before doing so.
There have also, in typical Internet fashion, been a series of lists posted of affected websites and services that need to patched or have been patched. You can find one of those here. But be advised that any of these lists are constantly changing.
There are also tools you can use to determine if a website is vulnerable or not. Qualys Labs has posted one such tool here. Popular password management company LastPass is now scanning sites for the vulnerability as well. Another popular security tool, Lookout has now published a free Android App that will scan your device to see if you are vulnerable. That tool is available on the Google Play Store. I downloaded it and ran it and you can see the results int the picture below.
Keep in mind that this bug is not something that affects devices directly. It makes it possible to steal data from servers where you send data to. If an App or service you are using has not patched the vulnerability you are advised not to use the service until they do.
The big news today is that Bloomberg is reporting that the NSA knew of the Heartbleed vulnerability, kept it to themselves, and exploited it for two years. The outrage on the Internet is swelling as this post is being written. Others had speculated about this previously. And while any story about the NSA these days is enough to cause the Internet’s blood pressure to rise, the cynic that I am just has to ask, why would a spy agency divulge a vulnerability if it was using it to spy?
The NSA has recently released a statement saying it knew nothing of the bug until it was recently reported. That same cynic in the last paragraph asks this question: Why didn’t these super sleuths know of it? Not to make light of this serious Internet security issue, but don’t we have better super sleuths than that?
Other reports of interest include:
Cloudflare, a content delivery network and distributed domain name server service that also provides services to boost performance as well as security solutions has been running tests and says that they have not been able to extract encryption keys from any vulnerable site. This comes after Cloudflare says it had early notice of the Heartbleed Bug before the news went public and patched its systems.
UPDATE: Apparently the Cloudfare news isn’t good news. Cloudfare had issued a challenge with its findings to see if anyone else could obtain encryption keys. According to re/code, two individuals did just that.
Apple has announced that its users of iOS and Mac OS X are OK via a report from re/code.
And there is a brave German coder named Robin Seggelmann, who is owning up to a “trivial” mistake that has led us all to this biggest of Internet security stories. He is quoted in the Sydney Morning Herald as saying, “In one of the new features, unfortunately, I missed validating a variable containing a length.” After acknowledging the damage that error has caused, he says, “It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area.” Seggelmann has been accused of inserting the bug intentionally, which he denies.
The story continues. And we’ll continue to follow it.