Critical internet security information: bug ‘Heartbleed’
Is your website or online service running OpenSSL? Or are you an internet user who gives out personal details or uses services within OpenSSL? Then your security may be at risk. According to internet security experts ‘Heartbleed’ is a major vulnerability in common encryption software which is affecting many websites and online services. Heartbleed is so widespread it could leave millions of servers on the internet open to an attack and could allow sensitive data including usernames and passwords to be stolen. We look more at this vulnerability, what you can do about it, and what the risks are when personal and financial information has been stolen, especially for the affected person’s credit rating.
By Graham Doessel, Non-Legal Director MyCRA Lawyers www.mycralawyers.com.au.
The Government’s Stay Smart Online (SSO) website has issued a HIGH priority security bulletin for those websites and online services running OpenSSL due to a major security vulnerability which has been discovered:
The OpenSSL vulnerability is reported to have been around since 2011. Following recent publicity, there is growing evidence that websites are being targeted using this vulnerability.
According to SSO, around two-thirds of websites and many other services currently use affected versions of OpenSSL (which stands for Open Secure Socket Layer, the most common cryptographic software used on most web servers). You would recognise websites using OpenSSL by the small padlock icon in the browser address bar or the ‘s’ added to the ‘http’ prefix for web addresses.
There is an official webpage for this bug, and I encourage all to read the webpage, and seek help in this area if necessary. It advises that unlike bugs in single software or library which are able to be fixed by new versions, this bug is more dangerous because it has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
Heartbleed.com explains in more detail what the bug does:
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
The even scarier part of this vulnerability, is that if there had been someone hacking information, they would leave no trace of attack.
Who is at risk
OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.
According to Heartbleed.com:
Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
How widespread is this?
The most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.
Affected versions of the OpenSSL
Status of different versions:
•OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
•OpenSSL 1.0.1g is NOT vulnerable
•OpenSSL 1.0.0 branch is NOT vulnerable
•OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
In Australian Broker on Wednesday, Deloitte security, privacy and resilience head Anu Nayer said it is vital for businesses who run a website or online service that the company’s technical team knows all the websites and web services the organisation has so they can check all the necessary sites. He outlined some important questions to determine your level of risk:
•How have you determined whether each of our websites and web services has OpenSSL service enabled?
•What type of sensitive information do we have that is accessible from the internet? What type of information would have been at risk?
•Have we looked at our logs to determine if there have been any successful or unsuccessful attempts to exploit this issue? What did we find? Are we monitoring our network to look for indications of attacks?
•What steps have we taken to mitigate the issue?
•How have you confirmed that the fixes have been applied successfully?
•Have you got assurances from our vendors, external hosting providers and application cloud services that they have fixed any vulnerable systems?
Obviously the information being shared in OpenSSL is of a secure nature for one reason or another, so someone with access to this information could do a whole host of things, including make use of, or on-sell information to fraudsters, cyber-terrorists or spammers.
They can also use the information to commit identity theft – the fastest growing crime in Australia.
Information like dates of birth, account numbers, full names and other personal information can be used to steal your identity and take credit out in your name. Fraudsters have been known to go so far as to take out personal loans, credit cards and even mortgage homes in their victim’s name. Unfortunately fraudsters are never so kind as to pay this credit back – which leads to defaults on your credit rating. Most victims are unaware of this until they apply for credit in their own right and are flat out refused.
Defaults remain on the credit file of individuals for between 5 and 7 years. Often not much of a trail is left and prosecutions don’t come easily.
Open SSL 1.0.1g or newer should be used.
If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS
Nayer says for organisations, it would also pay to consider if it is appropriate to revoke any Certificates which were used while the organisation ran exposed versions of OpenSSL.
“Even after a fix is applied, the private cryptographic keys your systems are relying on to protect their communications could already have been compromised and this fix won’t address that compromise,” he said.
For consumers, changing passwords regularly may help, and in addition a regular credit check can ensure you aren’t vulnerable to identity theft. Look for changes in personal details as well as suspicious credit enquiries in your name as a first sign of identity theft.
Image: joesive47/ www.FreeDigitalPhotos.net