Monday, 14 April 2014

Here's why it took 2 years for anyone to notice the Heartbleed bug

What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake. The OpenSSL developer who approved the change didn't notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years.
It's hard to blame those guys. OpenSSL is an open source project. As the Wall Street Journal describes it, the project is "managed by four core European programmers, only one of whom counts it as his full-time job." The OpenSSL Foundation had a budget of less than $1 million in 2013.
That's shocking. Software like OpenSSL increasingly serves as the foundation of the American economy. Cleaning up the mess from the Heartbleed bug will cost millions of dollars in the United States alone. In a society that spends billions of dollars developing software, we should be spending more trying to keep it secure. If we don't do something about that, we're doomed to see problems like Heartbleed crop up over and over again.

Why security flaws are different from other bugs

Computer security is a classic collective action problem. We all benefit from efforts to improve software security, but most organizations don't make it a priority. For most of us, it's economically rational to free-ride on others' computer security efforts.
Software like OpenSSL increasingly serves as the foundation of the American economy
Of course, you might ask why this argument doesn't apply to open source software in general. If free-riding is a problem, why do free programs like OpenSSL exist in the first place?
To paraphrase a famous essay by free software developer Eric Raymond, free software is driven by individuals and organizations scratching a "personal itch." Most of the time, people fix bugs or add features to free software projects because as users of the software they will benefit from the improvement.
If a large company has come to depend on a free software project, it makes economic sense to pay engineers to make changes that will benefit them. And once an improvement has been developed, it's easier to contribute the improvement back to the core project so that it will be included in future versions of the software. That creates a virtuous circle: as software gets better, more companies use it, which leads to more improvements, which leads to even better software.
So why didn't this virtuous circle allow OpenSSL to catch the Heartbleed problem sooner? The problem is that security vulnerabilities aren't like other bugs. Most bugs crop up naturally as people use the software. The most common and harmful bugs are the ones that get noticed and fixed first.
But security flaws don't come up naturally. They only surface when someone deliberately goes looking for them. And that can happen one of two ways. If security researchers find a security bug first, it can be quickly patched before much harm is done. If malicious hackers find a bug first, it can be exploited to catastrophic effect.
So the usual open source model of waiting for users to report and fix bugs as they discover them doesn't work for security problems. To find security bugs before the bad guys do, people have to be actively looking for them. And while many IT workers understand the importance of this kind of security auditing, it's much harder to convince management to devote resources to fixing theoretical security bugs when there are always more immediate non-security bugs requiring attention.

We need better funding for security research

We'll only get secure software if we have people actively finding and fixing security flaws. As a society we do have some people like that — there are computer security researchers in both academia and the private sector. The Heartbleed bug itself was discovered by security researchers employed at private companies: Google and a security research company called Codenomicon.
But it shouldn't have taken two years for someone to notice the gaping hole in OpenSSL's heartbeat function. Given the how widely OpenSSL is used, there ought to be multiple people auditing every line of code added to the software, so that mistakes can be caught and corrected before the software is widely deployed.
We'll only get secure software if we have people actively finding and fixing security flaws.
There are several ways this could happen. First and foremost, the core OpenSSL project should be better funded. Governments, foundations, and large corporations that use the software should all be chipping in money to offer the core OpenSSL team full-time jobs and help them hire additional programmers to help them do their work.
Second, more resources should be devoted to independent security audits of popular open source software. That could take the form of grants to academic security researchers, free-standing non-profit organizations, or even a government agency devoted to finding security problems. Indeed, these different types of institutions are likely to have different strengths and weaknesses, so a combination of all three is likely to work best.
In recent years, there has been a heated debate over "cybersecurity." There have been proposals to establish federal security standards, license security professionals, and perhaps even give the president the power to seize control of sensitive networks. There are good reasons to be skeptical of such proposals, because regulating private-sector security practices could easily do more harm than good.
But better funding for security research is something everyone should be able to agree on. And Heartbleed shows it's long overdue.

What should you do to protect yourself from the Heartbleed Bug?

Heartbleed attacks generally target web servers. Because those computers are not under consumers' control, there isn't much consumers can do to protect themselves from a vulnerable server. They just have to wait for the websites they use to fix the problem. It has now been three days since the bug was announced, so most websites should be fixed.
Your first step should be to check out this list from Mashable, which lists the most popular sites on the web, whether they've been affected by Heartbleed, and whether they've addressed the problem. If you use a site that isn't on the list, you can use a tool like this one to determine whether it is still running a flawed version of OpenSSL.
In addition to upgrading their software, websites also need to reset their encryption keys. Unfortunately, there's no easy way for users to test whether sites have done this, so you'll just have to rely on them to tell you. Sites should be communicating with their users, letting them know whether they've been affected and if so what steps have been taken to fix the problem. If you can't find that information about a site you may not want to trust it with your data.
Users of vulnerable sites should change their passwords, but only after a site has taken these remedial measures. If users change their passwords before the site has upgraded its software and changed its encryption keys, it could simply allow the bad guys to obtain the new encryption keys.

Computer hacking expert says more bad news to come from Heartbleed

The fallout from the Heartbleed bug could go far beyond just 900 social insurance numbers compromised at the Canada Revenue agency.
Alberta computer security expert John Zabiuk suspects there's a wave of problems coming.
"Right now, we're just seeing the tip of the iceberg," he said. "This is probably the largest flaw that's hit the Internet in history."
Zabiuk is with the Northern Alberta Institute of Technology in Edmonton, where, as an ethical hacker, he teaches students to protect computer systems by approaching the problem from a hacker's perspective.
The revenue agency says it's analyzing data to determine what else might have been siphoned out. Zabiuk says officials are likely to discover a much bigger cache of information has been compromised.
"Realistically, with over two thirds of all servers compromised online with this vulnerability, we're going to be seeing a lot more fallout from this," he said.
The revenue agency said it suffered "a malicious breach of taxpayer data that occurred over a six-hour period."
The problem is that the bug has been loose for two years, said Zabiuk.
"So what we're seeing with the 900 users that they say have been affected or compromised — that's just in the last two weeks that they've been keeping track of what's going on with this," he said.
"Prior to this, again it's been out for over two years, so what's gone on in that span of time?"
He said the government did the right thing when it learned of the security problem.
"I think the response is appropriate in taking down the servers that they knew were vulnerable," he said. "It's really the only way to protect the citizens and the people using those servers."
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy. The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
Zabiuk said the fix is simple. The problem is applying the patch to all of the hundreds or thousands of servers that may have been affected.
CRA said it will notify everyone involved in the security breach by registered letter and will offer access to credit protection services.
The Canadian government on the weekend restored service to all its publicly accessible websites as well the tax-filing systems E-file and Netfile.
The revenue agency said because the outage with its website lasted five days, it will effectively extend the tax filing deadline by that length of time. Returns filed by May 5 will not incur interest or penalties.
Andrew Treusch, commissioner of the agency, said he shares the concerns of those whose privacy has been violated.
The Privacy Commissioner has been notified of the security breach and the Mounties are investigating.

Obama allows NSA to exploit 0-days: report

The NSA's denial it knew about or exploited the Heartbleed bug raises an obvious question: does it exploit similar flaws?
The answer, according to The New York Times, is yes.
Quoting ”senior administration officials”, the paper says US President Obama considered what the NSA should do if it becomes aware of a vulnerability that could help its activities. His decision led to the creation of “... a broad exception for 'a clear national security or law enforcement need'.”
Just how broad is not explained and was not revealed to the Times.
It is widely believed that exploiting 0-days is a common technique among intelligence agencies the world over. For the USA to deny itself such a tool would therefore be odd.
But without knowing just where Obama has drawn the line it is hard to know if his policies to curb the NSA's excesses can be taken seriously.

Undead Windows XP deposits fresh scamware on lawn

Cybercriminals have already seized upon the end of support for Windows XP as a theme for numerous scams and fake software updates.
Microsoft pushed out its last ever patches for the 13-year-old operating system last Tuesday (8 April). Numerous YouTube videos "advertising programs and functionality related to Windows XP" that have appeared online over recent days are actually pushing adware and other undesirable apps, anti-virus firm Malwarebytes reports.
Among the dodgy apps being pushed is a Potentially Unwanted Program (PUP) that falls into the Amonetize-A class of nasties, classified as “undesirable” by Malwarebytes and 15 other security software firms.
Supposed "Media Center" keygen tools are also pushing applications likely to harm the performance of computers.
"Keygens are something you should really avoid, as more often than not you never know quite what you’ll end up with," Christopher Boyd, a malware intelligence analyst at Malwarebytes, says in a blog post. "As for XP themed 'setup files', those links took us to the usual selection of surveys and ringtone offers."
"Take care with the last minute surge of XP themed downloads and offers – whether on social networks, forums or video sharing sites, a lot of what you’re going to see over the coming weeks will probably not do you any favours,” he adds. “XP may be dead and gone in terms of updates, but that doesn’t mean pitfalls and booby traps have followed suit."

Blackberry plans Heartbleed patches as mobile threat scrutinized

The company logo is see at the Blackberry campus in Waterloo, September 23, 2013. REUTERS/Mark Blinch
BlackBerry Ltd said it plans to release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the "Heartbleed" security threat.
Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.
Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc's Android software and Apple Inc's iOS software.
Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.
Still, he said, "The level of risk here is extremely small," because BlackBerry's security technology would make it difficult for a hacker to succeed in gaining data through an attack.
"It's a very complex attack that has to be timed in a very small window," he said, adding that it was safe to continue using those apps before an update is issued.
Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.
Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.
Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which products are vulnerable and fix them.
"It will take the hackers a couple of weeks or even a month to move from 'proof of concept' to being able to exploit devices," said Shaulov.
Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.
While there have been no public reports of successful attacks involving the Heartbleed vulnerability, researchers say that it has been around for several years. That means that hackers could have successfully been using it without being caught since attacks do not leave any traces.

Android devices await Heartbleed fix

Android logo Version 4.1.1 of Android Jelly Bean was released in 2012
Millions of Android devices remain vulnerable to the Heartbleed bug a week after the flaw was made public.
Google announced last week that handsets and tablets running version 4.1.1 of its mobile operating system were at risk.
The search giant has since created a fix, but it has yet to be pushed out to many of the devices that cannot run higher versions of the OS.
It potentially places owners at risk of having sensitive data stolen.
In addition security firms warn that hundreds of apps available across multiple platforms still need to be fixed.
These include Blackberry's popular BBM instant messaging software for iOS and Android.
The Canadian firm has said that it will not issue a fix until Friday, but said there was only an "extremely small" risk of hackers exploiting the bug to steal its customers' data.
In the meantime the program remains available for download from Apple's App Store and Google Play.
Data theft News of the vulnerability with recent versions of the OpenSSL cryptographic software library was made public last Monday after researchers from Google and Codenomicon, a Finnish security firm, independently discovered the problem.
OpenSSL is used to digitally scramble data as it passes between a user's device and an online service in order to prevent others eavesdropping on the information.
It is used by many, but not all, sites that show a little padlock and use a web address beginning "https".
The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.
Although that is a relatively small amount, the attackers can repeat the process to increase their haul.
  UK versions of the HTC One S handset cannot currently be upgraded beyond Android 4.1.1
Futhermore, 64K is enough to steal passwords and server certificate private keys - information that can be used to let malicious services masquerade as genuine ones.
Press reports initially focused on the risk of users visiting vulnerable websites, but attention is now switching to mobile.
At-risk handsets Google's own statistics suggest that fewer than 10% of Android devices currently run version 4.1.1.
However, since close to one billion people currently use the OS that is still a significant number.
Some of those device owners can protect themselves by upgrading Android to a more recent version.
But several machines are unable to be upgraded higher than 4.1.1.
Customer websites indicate these include Sony's Xperia E and Xperia J handsets, HTC's One S, Huawei's Ascend Y300 and Asus's PadFone 2.
"Privacy and security are important to HTC and we are committed to helping safeguard our customers' devices and data," said the Taiwanese firm.
"We're currently working to implement the security patch issued by Google this week to the small number of older devices that are on Android 4.1.1."
Asus said its device was "expecting an update imminently". Sony and Huawei were unable to comment.
Tab grab Google has now created a fix to address the problem. However, manufacturers still need to adapt it for their devices and this software will need to be tested by the various operators before they release it.
  Sony and Huawei were not able to say when they planned to patch vulnerable devices
Users can check which edition of Android they are running by going to the "about phone" or "about tablet" option in their Settings app.
Alternatively several free apps have been released that can scan phones and tablets to say if they are vulnerable.
Lookout - a security firm behind one of the products - explained how hackers might take advantage of a vulnerable handset.
"Someone could build a malicious website or advert designed to steal data from your memory," Thomas Labarthe, the firm's European managing director, told the BBC.
"If you happen to be browsing it and have other tabs open in your browser, it could take data from a banking site - for example.
"No-one could steal a whole document - they can only take 64K of data - but that's still enough to steal your credentials."
'Forgotten about' Another security firm, Trend Micro, has focused on the issue of vulnerable apps.
 Blackberry aims to offer safe versions of its BBM app on Friday
These can affect any mobile operating system because the problem is caused by the servers that send data to the apps not having been updated to the latest version of OpenSSL.
Trend Micro said it was currently aware of 6,000 such risky apps, including shopping and bank-related services. That is 1,000 fewer than its figure for Friday - suggesting some server operators are addressing the problem.
But it acknowledged that it was hard for members of the public to know which of the hundreds of thousands on offer were safe to use.
"Some of these are services that were set up and then forgotten about," said senior malware researcher David Sancho.
"There's no way from using an app you can know if it's good or bad.
"So, for the moment, the best thing to do is use the ones from the major vendors that we know have been patched... but for the minor ones that have said nothing, be wary."

Akamai Heartbleed patch not a fix after all

Akamai, the network provider that handles nearly one-third of the Internet's traffic, released a Heartbleed patch to the community on Friday, saying that it would protect against the critical Web threat. Now it appears that's not the case.
Writing on his company's blog Sunday night, Akamai chief security officer Andy Ellis said that while he had believed the Akamai Heartbleed patch fully fixed the issue, a security researcher discovered it had a bug that caused it to be a partial, not full, patch.
"In short: we had a bug," Ellis wrote. "An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others."
The Heartbleed bug has become one of the worst Web security issues in recent history. Two years ago, a modification was made to OpenSSL, an encryption technology designed to ensure safe harbor for sensitive data traveling around the Web, that left it vulnerable to malicious hackers. By exploiting the bug, hackers could sidestep the encryption and access everything from usernames and passwords to session cookies.
On Friday, Ellis reported that while Akamai's network was exposed to the Heartbleed vulnerability between August 2012 and April 4, 2014, the fix the company had applied to its network meant that it was safe.
"As a courtesy to us, we were notified shortly before public disclosure, which gave us enough time to patch our systems," Ellis wrote. "We were asked not to publicly disclose the vulnerability, as doing so would have shortened the window of opportunity for others to fix their systems. Once we were notified, our incident management process governed patching, testing, and deploying the fix to our network safely."
All of that came unraveled over the weekend when security researcher Willem Pinckaers wrote his own blog post, saying that the OpenSSL fix Akamai put in place and subsequently released to the public didn't fix the problem.
"This patch does not, on its own, protect against private key disclosure through Heartbleed," Pinckaers wrote to Akamai customers. "This means your certificates on Akamai servers need to be rotated, and anything sent before then is vulnerable to Heartbleed compromise. If you send customer passwords to Akamai, you should ask your customers to change their passwords again. They'll enjoy that."
The crux of the issue, Pinckaers argues, is that while Akamai protects three critical values in an RSA key -- a long, algorithm-created string of numbers designed to create an encrypted connection -- three other values, known as intermediate extra values, are accessible because they weren't "stored in the secure memory area."
"As the...values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability," Akamai's Ellis said. "Given any CRT value, it is possible to calculate all 6 critical values."
Akamai is now heading back to the drawing board. Ellis says that his company has already started rotating SSL certificates that are vulnerable to protect its customers. Ellis says that some certificates will rotate quickly, while others will take a bit longer.

Canadian taxman says hundreds pierced by Heartbleed SSL skewer

The Canadian Revenue Agency has blamed the theft of 900 social insurance numbers on the infamous Heartbleed vulnerability.
The Canadian taxman specifically blamed the data breach on a serious security shortcoming in widely used Open SSL technology discovered last week. What's significant is not the size of the breach, which is modest, but that Heartbleed has scored a confirmed hit on a high profile victim.
The agency said today it had become aware of the breach while updating its systems to squash the Heartbleed bug. The theft reportedly happened during a six-hour period after the security flaw was discovered but before the agency blocked public access to its online services on Wednesday 9 April, to fix the vulnerability.
In a statement, the CRA said that preliminary results of its ongoing investigation suggest that the breach was limited to a small percentage of Canadian taxpayers and attributable to the Heartbleed bug alone rather another pre-existing security problem.
Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed. The CRA is one of many organisations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.
Canadian tax authorities are in the process of notifying affected parties by letter, a sensible precaution since any attempt to notify people by phone or email could easily be exploited by those hoping to trick people into handing over sensitive information.
Keith Bird, UK managing director of security vendor Check Point, commented: "Hackers were obviously alert to the vulnerability, and quick to exploit it. The Agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent.
“I believe we’ll see more announcements like this over the coming days. So it’s really important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. There’s a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords,” he added.